Helpmij tegen spyware offensief

[Compmaniac]

Hoi pieter,

Naar welke website ik ook maar wil gaan, dan kom ik op yahoo terecht. Ik kan wel websites bezoeken, via links, zo ben ik hier dus toch nog gekomen. In mijn werkbalk staat ook nog een geel icoontje met een blauw vraagteken dat niet verwijderd kan worden. Hier mijn log:

Logfile of HijackThis v1.97.2
Scan saved at 15:03:41, on 27-9-2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Norman\NVC\BIN\Zanda.exe
C:\WINDOWS\system32\slserv.exe
C:\NORMAN\nvc\BIN\NJEEVES.EXE
C:\NORMAN\nvc\BIN\NVCSCHED.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\NORMAN\nvc\BIN\ZLH.EXE
C:\Program Files\Canon\MultiPASS4\monitr32.exe
C:\WINDOWS\System32\fxredir.exe
C:\Program Files\Canon\MultiPASS4\MPTBox.exe
C:\WINDOWS\winupdate.exe
C:\WINDOWS\System32\w32sup.exe
C:\NORMAN\nvc\BIN\NYMSE.EXE
C:\WINDOWS\System32\arr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Wanadoo\NL\Mnu\IGOMNU.EXE
C:\windows\winlogon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\NORMAN\nvc\BIN\nvcoas.exe
C:\NORMAN\nvc\BIN\cclaw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rogier A. Huffnagel\Local Settings\Temp\Tijdelijke map 1 voor hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://out.true-counter.com/b/?351418 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,Search Page = http://vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://out.true-counter.com/c/?351418 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://out.true-counter.com/b/?351418 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://out.true-counter.com/a/?351418 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://out.true-counter.com/b/?351418 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://out.true-counter.com/c/?351418 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://out.true-counter.com/b/?351418 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://out.true-counter.com/a/?351418 about:blank (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchv.com/1/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://out.true-counter.com/b/?351418 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://out.true-counter.com/b/?351418 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://out.true-counter.com/b/?351418 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://out.true-counter.com/c/?351418 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/1/search.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/MS-Connect/Portal/portal.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.fastwebfinder.com/hp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?351418 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?351418 (obfuscated)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOCUME~1\ROGIER~1.HUF\LOCALS~1\Temp\hlpiheb.dll
O3 - Toolbar: Telefoongids Zoekbalk - {904691A1-C588-4B27-BC47-D8599EDB3F97} - C:\Program Files\TelefoonToolbar\TelefoonBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe
O4 - HKLM\..\Run: [MPTBox] C:\Program Files\Canon\MultiPASS4\MPTBox.exe
O4 - HKLM\..\Run: [Internat Conf] C:\WINDOWS\System32\bootconf.exe
O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\winupdate.exe
O4 - HKLM\..\Run: [sys] regedit /s sys.reg
O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\System32\w32sup.exe
O4 - HKLM\..\Run: [MS-RunKey] C:\WINDOWS\System32\arr.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Wanadoo Menu] C:\Program Files\Wanadoo\NL\Mnu\IGOMNU.EXE /S:T
O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
O4 - HKCU\..\Run: [Windows Update] C:\WINDOWS\winupdate.exe
O4 - HKCU\..\Run: [iedll] C:\WINDOWS\iedll.exe
O4 - HKCU\..\Run: [loader] C:\WINDOWS\loader.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Telefoongids (HKLM)
O9 - Extra 'Tools' menuitem: Telefoongids Zoekbalk (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O13 - DefaultPrefix: http://vrape.hardloved.com/top/search.php?id=2&s=
O13 - WWW Prefix: http://vrape.hardloved.com/top/search.php?id=2&s=
O15 - Trusted Zone: *.pluginaccess.com
O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp

Groetjes

 

[Pieter Arntz]

Hoi compmaniac,

Download, unzip en run CWShredder

Vink daarna de onderstaande zaken aan, sluit alle vensters behalve HIjackThis en klik op Fix checked:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/MS-Connect/Portal/portal.html
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOCUME~1\ROGIER~1.HUF\LOCALS~1\Temp\hlpiheb.dll
O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\winupdate.exe
O4 - HKLM\..\Run: [sys] regedit /s sys.reg
O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\System32\w32sup.exe
O4 - HKLM\..\Run: [MS-RunKey] C:\WINDOWS\System32\arr.exe
O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
O4 - HKCU\..\Run: [Windows Update] C:\WINDOWS\winupdate.exe

Start daarna opnieuw op en verwijder:
C:\WINDOWS\winupdate.exe
sys.reg
C:\WINDOWS\System32\w32sup.exe
C:\WINDOWS\System32\arr.exe
c:\windows\winlogon.exe <= let op dat je deze verwijdert en niet de echte, die in de System32 map zit
C:\Program Files\MS-Connect <= de hele map

Lees daarna het eerste bericht en scan met Spybot S&D of AdAware. De afspraak was trouwens om dat te doen voor het plaatsen van een log.

Plaats voor de zekerheid nog een nieuw log als je het hele riedeltje afgewerkt hebt.

Groetjes,

Pieter

 

[Compmaniac]

Ik had eerst al met adaware gescant, ik ga nu die dingen verwijderen

 

[Pieter Arntz]

Geplaatst door Compmaniac
Ik had eerst al met adaware gescant, ik ga nu die dingen verwijderen

OK. Het kan zijn dat er dan al bestanden weg zijn die ik noemde om te verwijderen.

Groetjes,

Pieter

 

[Compmaniac]

Wat bedoel je met sys.reg? en winlogon.exe stond er niet tussen, voor de rest alles gedaan. Alles doet het weer dus bedankt. Hier nog even de nieuwe log voor de zekerheid:

Logfile of HijackThis v1.97.2
Scan saved at 15:55:47, on 27-9-2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Norman\NVC\BIN\Zanda.exe
C:\WINDOWS\system32\slserv.exe
C:\NORMAN\nvc\BIN\NJEEVES.EXE
C:\NORMAN\nvc\BIN\NVCSCHED.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\NORMAN\nvc\BIN\ZLH.EXE
C:\Program Files\Canon\MultiPASS4\monitr32.exe
C:\WINDOWS\System32\fxredir.exe
C:\Program Files\Canon\MultiPASS4\MPTBox.exe
C:\WINDOWS\System32\ctfmon.exe
C:\NORMAN\nvc\BIN\NYMSE.EXE
C:\Program Files\Wanadoo\NL\Mnu\IGOMNU.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\NORMAN\nvc\BIN\nvcoas.exe
C:\NORMAN\nvc\BIN\cclaw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Rogier A. Huffnagel\Local Settings\Temp\Tijdelijke map 3 voor hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchv.com/1/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/1/search.php?qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: Telefoongids Zoekbalk - {904691A1-C588-4B27-BC47-D8599EDB3F97} - C:\Program Files\TelefoonToolbar\TelefoonBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe
O4 - HKLM\..\Run: [MPTBox] C:\Program Files\Canon\MultiPASS4\MPTBox.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Wanadoo Menu] C:\Program Files\Wanadoo\NL\Mnu\IGOMNU.EXE /S:T
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Telefoongids (HKLM)
O9 - Extra 'Tools' menuitem: Telefoongids Zoekbalk (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O15 - Trusted Zone: *.pluginaccess.com

 

[Pieter Arntz]

Hoi compmaniac,

Deze twee nog even een schop na geven:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchv.com/1/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/1/search.php?qq=%s

Kan met HijackThis of met CWShredder.

Groetjes,

Pieter

 

[Eagle Creek]

CTFMON.exe start automatisch op bij een PC van me. Is dit goed?

HKCU/run

 

[Pieter Arntz]

Geplaatst door XP_PC
CTFMON.exe start automatisch op bij een PC van me. Is dit goed?

HKCU/run

http://support.microsoft.com/defaul...port/kb/articles/Q282/5/99.asp&NoWebContent=1

Groetjes,

Pieter

 

[Eagle Creek]

Helemaal duidelijk .

 

[Eagle Creek]

Logfile of HijackThis v1.97.2
Scan saved at 19:26:26, on 27-9-2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Muis drivers\1.0\lwbwheel.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\PROGRA~1\NORTON~2\navapw32.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\EscapeClose\EscapeClose.exe
C:\WINDOWS\Plaxo\1.3.1.48\InstallStub.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Documents and Settings\Jean-Paul\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Jean-Paul/Mijn%20documenten/My%20Webs/Mijn_startpagina.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts...dir2.dll?s=consumer&ap=b201&c=3C01&lc=0413&ac
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/...rchredir2.dll?c=3C01&lc=0413&s=search&ap=b204
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer 6.0, SP I. Aangeboden door J-P I.T.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.76.47.11:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TC Monitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Muis drivers\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\navapw32.exe
O4 - HKLM\..\Run: [ZoneAlarm Pro] C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - HKCU\..\Run: [SpeedFan] C:\Program Files\SpeedFan\speedfan.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [EscapeClose] C:\Program Files\EscapeClose\EscapeClose.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.3.1.48\InstallStub.exe -a
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: DENK ERAAN.txt
O4 - User Startup: DENK ERAAN.txt
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: MS-KB (HKLM)
O9 - Extra 'Tools' menuitem: MS-KB (HKLM)
O9 - Extra button: Onderzoekscentrum (HKLM)
O15 - Trusted Zone: http://www.alfrink.nl
O15 - Trusted Zone: *.symantec.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/nl/win/QuickTimeInstaller.exe
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {5B27C20D-FFB6-4054-BA78-DE4A059BC75A} (Microsoft Office Template Downloader) - http://office.microsoft.com/dutch/TemplateGallery/msotd.cab
O16 - DPF: {5CE8C9BE-B561-4311-8C03-D6F6C1CAF7E1} (CSND_AX.ctlCSND_AX) - http://www.compaq.nl/support/garantie/CSND_AX.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab

Naar mijn weten is hij clean, maar telkens wordt er opeens automatisch verbinding gemaakt. Nu ik de modem even niet aangesloten heb (ik zit nu op een andere PC) krijg ik telkens een melding dat er een fout is bij de verbinding. Maar dat betekend dus dat er een programma verbinding wil maken en dat Windows dit toelaat. Ik kan me 1) niet herinneren dat ik hier ooit toestemming voor heb gegeven, 2) geen programma bedenken dat zit zou willen (Outlook en IE staan uit) en 3) geen mogelijkheid bedenken hoe ik dit zou moeten voorkomen.

 

[Kleinkramer]

De volgende startup heeft zijn naam natuurlijk wél mee...

O4 - HKCU\..\Run: [PlaxoUpdate]C:\WINDOWS\Plaxo\1.3.1.48\InstallStub.exe -a

Vink die eens uit in Msconfig/Startup

 

[Eagle Creek]

Uitgevinkt. Maar de melding komt nog wel steeds (instalstubb ook afgesloten als proces). Opnieuw opstarten?

 

[Kleinkramer]

Geplaatst door XP_PC
Uitgevinkt. Maar de melding komt nog wel steeds (instalstubb ook afgesloten als proces). Opnieuw opstarten?

Als je het proces beëindigd hebt hoort dat geen verschil te maken.

Kan wellicht ook MSN Messenger zijn, trouwens.

En ZoneAlarm heeft er echter óók een handje van:

Van http://www.wilderssecurity.com/index.php?board=23&action=display&threadid=3864&start=0

Users that upgraded one of the three ZA products to Version 3.1.395 have noticed that "ZA phones home." This issue seems to be only occurring with DUN users. I recently received some words from Zone Labs about this problem.

Q: Why is ZoneAlarm Pro causing my computer to dial out?

A: ZoneAlarm Pro is performing a DNS lookup. Normally, ZoneAlarm Pro waits until a user has established an Internet connection before performing the DNS lookup. However, an issue with the most recent ZoneAlarm Pro/Plus and ZoneAlarm releases is that they don't wait for an Internet connection before performing the DNS lookup. On some computers with auto-dialers set up, this look-up may cause the auto-dialer to be invoked. We're aiming to correct this in the next release of the products.

Q: Why is ZoneAlarm Pro performing a DNS lookup?

A: ZoneAlarm products perform automatic DNS lookups on any service addresses that a user requests for that session (registration, check-for-update), as well as for any Zone Labs Web destinations a user may go to. In addition to this, when a user adds a new Web site to a Zone, ZoneAlarm Pro does a DNS lookup for that site. But if the DNS name cannot be resolved before the session is over, ZoneAlarm Pro tries again the next session until the information can be established.

Q: What is lockout.zonelabs.com?

A: Your dialer may indicate a destination address of lockout.zonelabs.com. This is a landing page with instructions for people who have experienced firewall hardening. Firewall hardening is a failsafe security measure built in to our products. If a hacker or malware attempts to directly assault ZoneAlarm, Plus, or Pro, the software prevents Internet access for any applications not already running. When this happens, the user's browser automatically displays lockout.zonelabs.com. Firewall hardening is rarely triggered, but when it is, it's important for you to know what has happened

 

[Kleinkramer]

Trouwens, je firewall hoort je toch te kunnen vertellen om welk programma het gaat??

 

[Eagle Creek]

FW vraagt nergens om. Zal denk ik een toepassing zijn die al rechten heeft (even zien).
MSN deed daar nooit moeilijk over.

 

[Kleinkramer]

Geplaatst door XP_PC
FW vraagt nergens om. Zal denk ik een toepassing zijn die al rechten heeft (even zien).

Precies. Ik zou alle applicaties dus even verwijderen uit ZoneAlarm/Programs.

Dan wordt het wat makkelijker.

 

[BJC]

kan je ons helpen met deze hijacklog

Logfile of HijackThis v1.97.2
Scan saved at 20:07:45, on 27/09/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALCATEL\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skynet.be/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TimeUp] C:\Program Files\TimeUp\TimeUp.exe /T
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [WebCam Go Plus Sti Service Application] Wcgopsvc
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.dolmen.be/bin/mgaxctrl.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37866.3547222222
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = skynet.be
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 195.238.2.21,195.238.2.22

spyware ad aware 6.0

 

[Kleinkramer]

Clean logje.

Je mag deze laten fixen:

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

 

[BJC]

dank u voor deze hulp en inzet van ons probleem

groetjes

Pa BJC

 

[Eagle Creek]

Geplaatst door Kleinkramer


Precies. Ik zou alle applicaties dus even verwijderen uit ZoneAlarm/Programs.

Dan wordt het wat makkelijker.

Ja, inderdaad. Was ik al mee bezig . Zal kijken of het helpt.