Helpmij tegen spyware offensief (deel 7)

[buffy]

Groen

Geplaatst door groen

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gwztg.dll/sp.html#26980
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gwztg.dll/sp.html#26980
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gwztg.dll/sp.html#26980
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gwztg.dll/sp.html#26980
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gwztg.dll/sp.html#26980
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gwztg.dll/sp.html#26980
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gwztg.dll/sp.html#26980

O2 - BHO: (no name) - {E2FF6CD4-8C87-9B6D-3707-80D3C44B04E0} - C:\WINDOWS\apiur32.dll

O4 - HKLM\..\Run: [kavenyrqqqqwn] C:\WINDOWS\System32\qlhriv.exe
O4 - HKLM\..\Run: [d3vi32.exe] C:\WINDOWS\d3vi32.exe
O4 - HKLM\..\RunOnce: [d3sw.exe] C:\WINDOWS\system32\d3sw.exe
O4 - HKLM\..\RunOnce: [crca32.exe] C:\WINDOWS\crca32.exe
O4 - HKLM\..\RunOnce: [ippj.exe] C:\WINDOWS\ippj.exe
O4 - HKLM\..\RunOnce: [sysfe.exe] C:\WINDOWS\system32\sysfe.exe
O4 - HKLM\..\RunOnce: [ipyj.exe] C:\WINDOWS\system32\ipyj.exe
O4 - HKLM\..\RunOnce: [d3zo32.exe] C:\WINDOWS\system32\d3zo32.exe
O4 - HKLM\..\RunOnce: [d3kn32.exe] C:\WINDOWS\system32\d3kn32.exe
O4 - HKLM\..\RunOnce: [apiri32.exe] C:\WINDOWS\apiri32.exe
O4 - HKLM\..\RunOnce: [mfcdn.exe] C:\WINDOWS\system32\mfcdn.exe
O4 - HKLM\..\RunOnce: [ntuc32.exe] C:\WINDOWS\ntuc32.exe
O4 - HKLM\..\RunOnce: [crkk.exe] C:\WINDOWS\crkk.exe
O4 - HKLM\..\RunOnce: [winaw.exe] C:\WINDOWS\winaw.exe
O4 - HKLM\..\RunOnce: [mssn.exe] C:\WINDOWS\system32\mssn.exe
O4 - HKLM\..\RunOnce: [msqd32.exe] C:\WINDOWS\system32\msqd32.exe
O4 - HKLM\..\RunOnce: [winfb.exe] C:\WINDOWS\winfb.exe
O4 - HKLM\..\RunOnce: [atlth32.exe] C:\WINDOWS\atlth32.exe
O4 - HKLM\..\RunOnce: [appdd.exe] C:\WINDOWS\appdd.exe
O4 - HKLM\..\RunOnce: [ipdl32.exe] C:\WINDOWS\system32\ipdl32.exe
O4 - HKLM\..\RunOnce: [apipc.exe] C:\WINDOWS\apipc.exe
O4 - HKLM\..\RunOnce: [addqx32.exe] C:\WINDOWS\system32\addqx32.exe
O4 - HKLM\..\RunOnce: [crti.exe] C:\WINDOWS\system32\crti.exe
O4 - HKLM\..\RunOnce: [mfcak.exe] C:\WINDOWS\system32\mfcak.exe
O4 - HKLM\..\RunOnce: [crad32.exe] C:\WINDOWS\system32\crad32.exe
O4 - HKLM\..\RunOnce: [sysuy32.exe] C:\WINDOWS\sysuy32.exe
O4 - HKLM\..\RunOnce: [msna.exe] C:\WINDOWS\msna.exe
O4 - HKLM\..\RunOnce: [msjx32.exe] C:\WINDOWS\msjx32.exe
O4 - HKLM\..\RunOnce: [javavp.exe] C:\WINDOWS\system32\javavp.exe

Hallo Groen,

Deze variant van CWS is bijzonder moeilijk te verwijderen. Probeer eerst het onderstaande eens. Graag precies doen wat er staat.


1. Download about:buster -> http://tools.zerosrealm.com/AboutBuster.zip (directe downloadlink)
Unzip het bestand naar je bureaublad. Nog niet gebruiken, alleen klaarzetten op je bureaublad.

2. Scan met HijackThis, vink de bovenstaande items (zie quote) aan, sluit alle vensters behalve HijackThis zelf en klik op "Fix checked".
(Dat sluiten van alle vensters is echt belangrijk. Er mag zeker niets van Internet Explorer en je mailprogramma open staan. Deze pagina van Helpmij mag dus ook niet open staan!)

3. Dubbelklik op about:buster.exe, klik op OK, klik op Start, klik op OK.
Als het goed is worden de foute bestanden nu verwijderd.

4. Herstart de pc.

5. Download de nieuwste versie van HijackThis even: http://www.majorgeeks.com/download3155.html
Maak daarmee een nieuw log en plaats dat hier.


Groetjes,

Buffy

 

[indewar]

Hallo!
Op aanraden van H@NsiePanzzzer http://www.helpmij.nl/forum/showthread.php?threadid=174172 hierbij mijn HijackThis logfile.

Met nog een keertje mijn 'probleempjes':
Bitdefender's online scanner resultaat:
C:\win2k3.exe=>(RAR Sfx o)=>pk2.exe=>(RAR Sfx o)=>sbaanetapi.dll=>(Upx) infected: Trojan.RpcLsa.B
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8X8VIHIN\pb25[1].exe=>(RAR Sfx o)=>pk2.exe=>(RAR Sfx o)=>sbaanetapi.dll=>(Upx) infected: Trojan.RpcLsa.B
C:\WINDOWS\system32\config\systemprofile\winupd\sbaanetapi.dll=>(Upx) infected: Trojan.RpcLsa.B
C:\WINDOWS\system32\config\systemprofile\winupd\sbaanetapi.dll=>(Upx) unable to disinfect

NAV2004 resultaat:
4 bestanden geinfecteerd met w32.IRCBot.Gen:
2x "gecomprimeerd bestand winupd.dll (in winupd.dll) in pk3.exe in
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8X8VIHIN\pb25[1].exe"
2x "gecomprimeerd bestand winupd.dll (in winupd.dll) in pk3.exe in C:\win2k3.exe"
(bovenstaand dus steeds 1x met tussen haakjes en 1x zonder tussen haakjes)



Logfile of HijackThis v1.98.2
Scan saved at 13:47:45, on 17-8-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Eigenaar\Local Settings\Temp\Tijdelijke map 3 voor hijackthis1982.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tele2.nl/redirect/startpage/dial_up/dut/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.zonnet.nl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - TELE2Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.tele2.nl/redirect/startpage/dial_up/dut/
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

 

[H@ns]

Geplaatst door indewar

Hoi weer

Ik kan niets bijzonders vinden in je logje...

Maar aangezien de meeste in je tijdelijke mappen zitten:

Download en draai CleanUp!.

Start hierna opnieuw op in veilige modus, en draai CleanUp! opnieuw.

Start op in normale modus, en draai Bitdefender nog eens

 

[Danae]

Hi,
hier is mijn log (opnieuw!), ditmaal excuses van mijn bezoek die ongevraagde zaken op mijn computer heeft toegelaten. Zouden jullie er even naar kunnen kijken? Alvast (en opnieuw) enorm bedankt!

Logfile of HijackThis v1.98.0
Scan saved at 15:20:43, on 17-8-04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\IOMEGA CD-RW\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\CYBERLINK\POWERDVD\PDVDSERV.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\IOMEGA CD-RW\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINRAR\WINRAR.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.volkskrant.nl/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.volkskrant.nl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door chello broadband n.v.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\IOMEGA~1\DIRECTCD.EXE
O4 - HKLM\..\Run: [Systeemwerkbalk] SysTray.Exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\IOMEGA~1\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: schijfcontrole.lnk = C:\WINDOWS\SCANDSKW.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE (file missing)
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.nl/r/neutral/controls/MsnPUpld.cab?5,0,1730,0
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://www.p3.postbank.nl/GTO/PBGNX.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {C58EFA10-2CC0-4C50-8C77-B326555EC1B7} (clsDefault Class) - http://quickfix2.chello.nl/quickfix2/asp/LaunchApp.CAB
O16 - DPF: {1D185838-009D-47C8-824B-B65B4854430E} (Installer Class) - http://quickfix2.chello.nl/QuickFix2/asp/chelloInstall.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

 

[indewar]

@H@NsiePanzzzer

Bedankt voor het checken en de Clean Up tip, maar heeft helaas niet geholpen.

Groeten!

 

[buffy]

indewar

Geplaatst door indewar
@H@NsiePanzzzer

Bedankt voor het checken en de Clean Up tip, maar heeft helaas niet geholpen.

Groeten!

Hallo indewar,

Start de pc in veilige modus.
Uitleg: http://www.virushelp.nl/veilige_modus.htm

Zorg dat verborgen bestanden en mappen worden weergegeven (belangrijk!). Dat doe je door in de Verkenner naar Extra -> Mapopties -> Weergave te gaan en daar:
1) het vinkje voor "Beveiligde besturingssysteembestanden verbergen (aanbevolen)" te verwijderen, en
2) een vinkje te plaatsen voor "Verborgen bestanden en mappen weergeven".

Verwijder nu, in veilige modus dus, de inhoud van de map C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5. Dus alles wat in die map "Content.IE5" zit weggooien.

Herstart de pc in 'normale modus'.

 

[H@ns]

Geplaatst door Danae

R3 - Default URLSearchHook is missing

O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab

Hoi Danae

Niet veel bijzonders.

1. Vink bovenstaande aan in HijackThis, sluit alle andere vensters en browsers, en klik op Fix Checked.

2. Start opnieuw op, maak een nieuw logje aan en post dat hier.

 

[D3nnis]

hijack this

Logfile of HijackThis v1.98.2
Scan saved at 16:16:30, on 17-8-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\IEPopupKiller\PopupKillerTray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Dennis Van Proumeren.THUIS-CVSFYKHW1\Mijn documenten\hijackthis 2\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IEPopupKillerBHO.CIEPopupKillerBHO - {31801B7B-6A29-43A2-A54F-A8920FA70F9C} - C:\Program Files\IEPopupKiller\IEPopupKillerBHO.dll
O2 - BHO: Flash Enhancer - {7CD20E91-1F31-41da-8379-479EA31DF969} - c:\Program Files\XML\XML.dll
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q

 

[H@ns]

Re: hijack this

Geplaatst door D3nnis

Hoi Dennis,

Zet eerst even de backups terug zoals ik je in je eerdere post al aanraadde, dit is namelijk niet een compleet log. (je had NOOIT alles zelf moeten fixen )

 

[Jaroen]

Zo Goed gedaan dan

Logfile of HijackThis v1.98.0
Scan saved at 16:41:45, on 17-8-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
C:\Program Files\HP\Digital Imaging\Promotions\HPpromo.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Documents and Settings\Gebruiker\Mijn documenten\Jeroen\Belangrijke Documetnen\MsgPlus.exe
C:\Documents and Settings\Gebruiker\Mijn documenten\Jeroen\Spelletjes\Winamp\winampa.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\intl.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\OPScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\All Users\Documenten\Ad-aware 6\Ad-aware.exe
C:\Documents and Settings\Gebruiker\Mijn documenten\Jeroen\Hijack\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/Plus18Point/Portal/portal.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bzrcrsibbzztkpz.com/UVQvGHQnFTPSLvIuKpDoaR3t0wn9SpUGxj_WgM49v5KcAWtIZv048AxAh9S90_u2.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Plus18Point/Portal/portal.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000000} - C:\WINDOWS\system32\IEHelper.dll
O2 - BHO: (no name) - {8B18F156-07A9-2455-EDF7-6F92F11ED2E4} - C:\PROGRA~1\WARNFO~1\That Pure.exe
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\nl\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCTVRemote] C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [HPpromo psc 1300 series] "C:\Program Files\HP\Digital Imaging\Promotions\HPpromo.exe" /N "psc 1300 series" -r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Documents and Settings\Gebruiker\Mijn documenten\Jeroen\Belangrijke Documetnen\MsgPlus.exe"
O4 - HKLM\..\Run: [BUILD UP] C:\PROGRA~1\KNOBTR~1\Pile sect curb.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Documents and Settings\Gebruiker\Mijn documenten\Jeroen\Spelletjes\Winamp\winampa.exe
O4 - HKLM\..\Run: [Scr real site live] C:\Documents and Settings\All Users\Application Data\BARB DRV SCR REAL\blue live.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\intl.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\mslagent\mslagent.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [drvddll.exe] C:\WINDOWS\System32\drvddll.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

 

[BJBD]

Hier nog even een controlle log:


Logfile of HijackThis v1.98.2
Scan saved at 16:46:10, on 17-8-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\SxgTkBar.exe
E:\windows\system32\qttask.exe
C:\WINDOWS\System32\PDesk.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
F:\Program Files\Alwil Software\Avast4\ashDisp.exe
E:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\mysql\bin\winmysqladmin.exe
F:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
E:\PROGRA~1\NETSUP~1\client32.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\mgabg.exe
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PMail\winpm-32.exe
C:\Documents and Settings\Bert Jan Brouwer\Desktop\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nu.nl/
F2 - REG:system.ini: Shell=
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.nu.nl/"); (C:\Documents and Settings\Bert Jan Brouwer\Application Data\Mozilla\Profiles\default\d23njr2v.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://E%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5CNetscapeSearch.src"); (C:\Documents and Settings\Bert Jan Brouwer\Application Data\Mozilla\Profiles\default\d23njr2v.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - E:\Program Files\Zend\bin\ZendIEToolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\windows\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\System32\FirstBoot.exe
O4 - HKLM\..\Run: [GroksterSupport] wjview /cp "C:\Program Files\GroksterSupport\System\Code" Main lp: "C:\Program Files\GroksterSupport"
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "F:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [avast!] F:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MessengerPlus3] "E:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ares] "E:\Program Files\Ares\ares.exe" -h
O4 - HKCU\..\Run: [MessengerPlus3] "E:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Update Grokster.lnk = E:\Program Files\Grokster\WiseUpdt.exe
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Grokster Support - file://C:\Program Files\GroksterSupport\System\Temp\grokstershop_script0.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: Zend Studio Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - E:\Program Files\Zend\bin\ZendIEToolbar.dll
O9 - Extra 'Tools' menuitem: Zend Studio - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - E:\Program Files\Zend\bin\ZendIEToolbar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.218 - http://chatsite.chatspace.com:8246/Java/cfs31218.cab
O16 - DPF: EnigmaApplet - http://www.sereon.com/eapplet/appletdu.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28177.cab

 

[H@ns]

Re: Zo Goed gedaan dan

Geplaatst door Jaroen

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/Plus18Point/Portal/portal.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bzrcrsibbzztkpz.com/UVQvGHQnFTPSLvIuKpDoaR3t0wn9SpUGxj_WgM49v5KcAWtIZv048AxAh9S90_u2.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Plus18Point/Portal/portal.html

O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000000} - C:\WINDOWS\system32\IEHelper.dll
O2 - BHO: (no name) - {8B18F156-07A9-2455-EDF7-6F92F11ED2E4} - C:\PROGRA~1\WARNFO~1\That Pure.exe

O4 - HKLM\..\Run: [BUILD UP] C:\PROGRA~1\KNOBTR~1\Pile sect curb.exe
O4 - HKLM\..\Run: [Scr real site live] C:\Documents and Settings\All Users\Application Data\BARB DRV SCR REAL\blue live.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\intl.exe
O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\mslagent\mslagent.exe
O4 - HKCU\..\Run: [drvddll.exe] C:\WINDOWS\System32\drvddll.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

Leuke rotzooi...

1. Ga naar Start - Configuratiescherm - Software en de-installeer:
NewDotNet/New.Net

2. Vink bovenstaande aan in HijackThis, sluit alle andere vensters en browsers, en klik op Fix Checked.

3. Start opnieuw op in veilige modus, en verwijder:
MAPPEN:
C:\Program Files\Plus18Point
C:\PROGRA~1\WARNFO....
C:\PROGRA~1\KNOBTR....
C:\Documents and Settings\All Users\Application Data\BARB DRV SCR REAL
C:\WINDOWS\mslagent
C:\PROGRA~1\NEWDOTNET

BESTANDEN:
C:\WINDOWS\system32\IEHelper.dll
C:\WINDOWS\System32\intl.exe
C:\WINDOWS\System32\drvddll.exe

4. Start op in normale modus, maak een nieuw logje aan en post dat hier.

 

[H@ns]

Geplaatst door BJBD

Je bent schoon nu, maar ik dacht gehoord te hebben dat Ares spyware bevatte/veel virussen laat downloaden...

Je IE en Windows zijn harstikke lek. Je moet ze nodig updaten door naar Windows Update te gaan:

Internet Explorer | Extra | Windows Update

Download en installeer ten minste ALLE essentiele updates.

 

[indewar]

opgelucht!

@Buffy

Ontzettend bedankt, daar geen IRCBot meer te vinden.
Zal hier verder geen ruimte verspillen, maar kan je als je tijd hebt misschien nog even kijken in mijn post in virus? http://www.helpmij.nl/forum/showthread.php?postid=1157783#post1157783

Iedereen bedankt alvast voor al jullie tijd en moeite!!

 

[Jaroen]

Deze kank niet vinden?

NewDotNet/New.Net

 

[H@ns]

Geplaatst door Jaroen
Deze kank niet vinden?

NewDotNet/New.Net

Maakt niet uit, alleen maar beter. Ga verder met de volgende stap

 

[dOmO]

searchtheweb toolbars

wat heb ik tot nu toe gedaan:
adaware 6 met nieuwste updates gedaan
CWS shredder gedaan
maar hij blijft nog steeds, hier de hijjackthislog:

zou je aub ook de startup wat sneller doen, niet dat ie enorm traag is maar dat alle troep iig verdwenen is .



Logfile of HijackThis v1.97.7
Scan saved at 17:03:01, on 17-8-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Sun Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TightVNC\WinVNC.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\swl\Desktop\antispam\niew\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ancdpkkrop.com/Qf8tIHKJUekjh5S0sDWOiW5x8OsNyf5QIhHeGv8JdIw.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.kkynsylwqg.net/Qf8tIHKJUemFaGvx5el5ca71XLAFCnp2ssO6YPht0tMvCM1BBr0IzsPVFtuo2V90.jsp
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4A8AAEEC-F30D-D3C4-E840-5803C976C16A} - C:\PROGRA~1\MIXOKA~1\Body flap.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Sun Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [CLOSESTUPID] C:\PROGRA~1\GPLSET~1\cast dead.exe
O4 - HKLM\..\Run: [Platformlicensehidetwo] C:\Documents and Settings\All Users\Application Data\Idlemailplatformlicense\MultiUser.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ 4.1 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37856.5365162037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab27571.cab

alvast bedankt !

 

[H@ns]

Re: searchtheweb toolbars

Geplaatst door dOmO

Doe dit eerst:

Download de nieuwste versie van Ad AWare, Ad Aware SE, hier:
Ad Aware SE

De-installeer Ad Aware 6 en installeer daarna SE. Update en scan ermee.

Reboot.

Download de nieuwste versie van HijackThis hier:
http://radiosplace.com

Maak hiermee een nieuw logje, wat je hier post

 

[joepie]

Hardstikke bedankt

 

[crash]

Re: searchtheweb toolbars

Geplaatst door dOmO
:zou je aub ook de startup wat sneller doen, niet dat ie enorm traag is maar dat alle troep iig verdwenen is .

De opstart wordt om verschillende redenen niet meer nagekeken.
Kijk daarvoor naar deze topic;
Hoe van je overbodige opstartitems af te komen <--klik.
Je kunt dit makkelijk, aan de hand van de uitleg, zelf doen.