Helpmij tegen spyware offensief

[Dolfhin]

Logfile of HijackThis v1.97.2
Scan saved at 1:18:57, on 28-9-2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Norton Utilities\NPROTECT.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\Speed Disk\nopdb.exe
D:\WINDOWS\Integrator.exe
D:\Trillian\trillian.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Trillian\trillian.exe
D:\Opera\Beta\Beta7\opera.exe
D:\WINDOWS\explorer.exe
D:\Spybot - Search & Destroy\SpybotSD.exe
D:\ULTIMA~1\uzip.exe
D:\DOCUME~1\DOLFHIN\LOCALS~1\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microschoft Internet Exploder
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~2\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "D:\rivatuner\RivaTuner.exe" /S
O4 - Startup: Hare.lnk = D:\Hare\Hare.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download met LeechGet - file://D:\LeechGet 2002\\AddUrl.html
O8 - Extra context menu item: Download met LeechGet Wizard - file://D:\LeechGet 2002\\Wizard.html
O8 - Extra context menu item: Verwerk met LeechGet (Parse) - file://D:\LeechGet 2002\\Parser.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C73C6ED-C9AF-46D5-9123-24D2A36F4334}: NameServer = 193.67.79.39 193.79.242.39

Die van windows title = microschot internet exploder heb ik zelf gedaan Die verwijder ik ook wel ff, Gescanned met spybot (de nieuwste)
Anyway waarom draait svchost.exe twee keer? 1 Keertje is toch wel genoeg?

 

[Pieter Arntz]

Hoi Dolfhin,

Twee keer is nog beschaafd.
http://support.microsoft.com/?kbid=314056

Log is schoon.

Pieter

 

[BuxBux]

hijack this

Wil je mischien ook even naar deze log willen kijken. Alvast bedankt.Logfile of HijackThis v1.97.2
Scan saved at 16:24:49, on 28-9-03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.00 (5.00.2314.1000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\NISSERV.EXE
C:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\NISUM.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MEDIASCAPE\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\Mediascape\OnScreen Display\OSD.exe
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\DBSERVER.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\IAMAPP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\SYMPROXYSVC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\MIJN DOCUMENTEN\RICO\DOWNLOADS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hetnet.nl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.napster.nl/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.commonname.com/english/toolbar/sidebar.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.commonname.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://msn.nl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.linksummary.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F1 - win.ini: run=hpfsched
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: BabeIE - {A6475E6B-3C2E-4B1F-82FD-8F1C0B1D8AD0} - (no file)
O2 - BHO: Activater - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - (no file)
O2 - BHO: (no name) - {C7ADE150-743D-11D4-8141-00E029626F6A} - C:\WINDOWS\SYSTEM\NETPAL.DLL
O2 - BHO: (no name) - {40AC4D2D-491D-11D4-AAF2-0008C75DCD2B} - C:\WINDOWS\SYSTEM\MBHO.DLL
O2 - BHO: (no name) - {730F2451-A3FE-4A72-938C-FC8A74F15978} - C:\WINDOWS\SYSTEM\BHO.DLL
O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - C:\WINDOWS\SYSTEM\VEG32.DLL
O2 - BHO: (no name) - {00000EF1-34E3-4633-87C6-1AA7A44296DA} - C:\WINDOWS\SYSTEM\LWZ.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: (no name) - {A3E3F04C-F98C-4295-95EF-41C57425B077} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Mediascape\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [OnScreen Display] C:\Mediascape\OnScreen Display\OSD.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Gravis AppAware Loader] C:\WINDOWS\SYSTEM\DBServer.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinStart] C:\WINDOWS\System\WinStart.exe -boot
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [Zupdate] C:\WINDOWS\Zupdate\Zupdate.EXE -silent -p "C:\WINDOWS\Zupdate" -s setup.cab
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\WINDOWS\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O8 - Extra context menu item: Bookmark This Page - C:\Program Files\CommonName\Toolbar\createbookmark.htm
O8 - Extra context menu item: Add A Page Note - C:\Program Files\CommonName\Toolbar\createnote.htm
O8 - Extra context menu item: Email This Link - C:\Program Files\CommonName\Toolbar\emaillink.htm
O8 - Extra context menu item: Search using CommonName - C:\Program Files\CommonName\Toolbar\navigate.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O11 - Options group: [TOEGANKELIJKHEID] Toegankelijkheid
O11 - Options group: [CommonName] CommonName
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .png: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .scr: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .pif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .pdf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://msn.nl
O14 - IERESET.INF: MS_START_PAGE_URL=http://msn.nl
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://www.greetingcenter.com/download/twophase.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {11BF0E2B-4229-4ADC-9C11-1C6968731018} (Download Class) - http://www.0190-dialer.com/VLoading.cab

 

[Kleinkramer]

Ga eerst naar Configuratiescherm/Software, en de-installeer New.Net (domains).
Vervolgens even opnieuw opstarten.

Vink nu de volgende zaken aan in Hijack This, sluit vervolgens alle browser-vensters, en klik op "fix checked".

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.napster.nl/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.commonname.com/english/toolbar/sidebar.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.commonname.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch

O2 - BHO: BabeIE - {A6475E6B-3C2E-4B1F-82FD-8F1C0B1D8AD0} - (no file)
O2 - BHO: Activater - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - (no file)
O2 - BHO: (no name) - {C7ADE150-743D-11D4-8141-00E029626F6A} - C:\WINDOWS\SYSTEM\NETPAL.DLL
O2 - BHO: (no name) - {40AC4D2D-491D-11D4-AAF2-0008C75DCD2B} - C:\WINDOWS\SYSTEM\MBHO.DLL
O2 - BHO: (no name) - {730F2451-A3FE-4A72-938C-FC8A74F15978} - C:\WINDOWS\SYSTEM\BHO.DLL
O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - C:\WINDOWS\SYSTEM\VEG32.DLL
O2 - BHO: (no name) - {00000EF1-34E3-4633-87C6-1AA7A44296DA} - C:\WINDOWS\SYSTEM\LWZ.DLL

O3 - Toolbar: (no name) - {A3E3F04C-F98C-4295-95EF-41C57425B077} - (no file)

O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinStart] C:\WINDOWS\System\WinStart.exe -boot
O4 - HKLM\..\Run: [Zupdate] C:\WINDOWS\Zupdate\Zupdate.EXE -silent -p "C:\WINDOWS\Zupdate" -s setup.cab

O8 - Extra context menu item: Bookmark This Page - C:\Program Files\CommonName\Toolbar\createbookmark.htm
O8 - Extra context menu item: Add A Page Note - C:\Program Files\CommonName\Toolbar\createnote.htm
O8 - Extra context menu item: Email This Link - C:\Program Files\CommonName\Toolbar\emaillink.htm
O8 - Extra context menu item: Search using CommonName - C:\Program Files\CommonName\Toolbar\navigate.htm

O11 - Options group: [TOEGANKELIJKHEID] Toegankelijkheid
O11 - Options group: [CommonName] CommonName

O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://www.greetingcenter.com/download/twophase.cab
O16 - DPF: {11BF0E2B-4229-4ADC-9C11-1C6968731018} (Download Class) - http://www.0190-dialer.com/VLoading.cab

Start vervolgens even opnieuw op, en wis:

Het bestand C:\WINDOWS\System\WinStart.exe
De map C:\WINDOWS\Zupdate

Tenslotte download je Spybot - Search & Destroy

Eerst klik je links op Online, dan "Search For Updates", en vervolgens alle updates aanvinken en downloaden ( 'download updates' ).

Nu Internet Explorer afsluiten.

Vervolgens klik je linksonder op "check for problems", laat scannen, en laat SB tenslotte alles verwijderen/herstellen.
Het programma maakt automatisch backups aan..

Succes,

 

[Kleinkramer]

En upgrade je browser naar Internet Explorer 6.0 SP1.
Vervolgens naar de Windows Update site om ALLE beschikbare security patches te installeren.

Dat update een groot aantal belangrijke systeembestanden, fixt ontelbare bugs, en dicht een hoop veiligheidslekken.

 

[lamasta]

hijackthis.log

yo mensen, dit is mijn hijackthis log.. kan r nog wat verbeterd worden???


Logfile of HijackThis v1.97.2
Scan saved at 17:48:48, on 28-9-2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\NetPumper\NetPumperIEProxy.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\KaZaA Lite\Speed Up.exe
C:\progra~1\steam\steam.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\KaZaA Lite\kazaa.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Lamasta\LOCALS~1\Temp\Rar$EX00.238\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.artofwall.tk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O1 - Hosts: 66.159.18.75 astalavista.com
O1 - Hosts: 66.159.18.75 www.astalavista.com
O1 - Hosts: 66.159.20.51 astalavista.box.sk
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {34ab3a64-e9d5-43dc-9096-92b77a9b182e} - C:\DOCUME~1\Lamasta\APPLIC~1\prshgrholss.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: rnghpueeeaq - {cb7b5327-10d5-481c-bd1c-31cc18cff020} - C:\DOCUME~1\Lamasta\APPLIC~1\prshgrholss.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Program Files\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [NetPumper] "C:\Program Files\NetPumper\NetPumperIEProxy.exe"
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [ShareMonkey Speedup] C:\Program Files\KaZaA Lite\Speed Up.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Steam] "c:\progra~1\steam\steam.exe" -silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Startup: Wallpaper Calendar.lnk = C:\Program Files\Wallpaper Calendar\WallCal3.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download with NetPumper - C:\Program Files\NetPumper\AddUrl.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37710.5772800926
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://www.p3.postbank.nl/GTO/PBGNX.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

 

[Kleinkramer]

Deze moeten gefixed:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about :blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html

O1 - Hosts: 66.159.18.75 astalavista.com
O1 - Hosts: 66.159.18.75 www.astalavista.com
O1 - Hosts: 66.159.20.51 astalavista.box.sk

O2 - BHO: (no name) - {34ab3a64-e9d5-43dc-9096-92b77a9b182e} - C:\DOCUME~1\Lamasta\APPLIC~1\prshgrholss.dll

O3 - Toolbar: rnghpueeeaq - {cb7b5327-10d5-481c-bd1c-31cc18cff020} - C:\DOCUME~1\Lamasta\APPLIC~1\prshgrholss.dll

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

 

[lamasta]

thnx,

en heeft zal dit nog opmerkelijke snelheden met zich meebrengen?? of is het maar een mini-ingreepje?

grtz

 

[Kleinkramer]

Geen snelheidswinst. Maar je bent wel wat LOP spyware kwijt, en dat is óók wat waard...

 

[Dolfhin]

Geplaatst door Pieter Arntz
Hoi Dolfhin,

Twee keer is nog beschaafd.
http://support.microsoft.com/?kbid=314056

Log is schoon.

Pieter

Mooi zo IK ben van plan het ff zo te houden ook

Weer heel erg bedankt :thumb:

 

[huijb]

Pieter of Ton,
Ik heb hier een log van een collega van mij, ik denk dat er wel wat ellende tussen zit. Bedankt.

Logfile of HijackThis v1.95.0
Scan saved at 19:47:52, on 28-9-2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\HPOVDX05.EXE
C:\Documents and Settings\marco\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=C:\WINDOWS\System32\ms7531.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.12move.nl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer aangeboden door 12Move
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=proxy.12move.nl:8080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina=C:\WINDOWS\System32\ms7531.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Herinneringen van Microsoft Works Agenda.lnk = ?
O4 - Global Startup: HP OfficeJet Opstartmenu.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Onderzoekscentrum (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.12move.nl
O16 - DPF: {1567488B-A6D9-444E-A7C0-D80934F54B73} - http://pms.localscripts.nl/plugins/ms7531.cab
O16 - DPF: {386498A4-FC45-4FB1-B275-4CD42C672D1A} - http://pms.localscripts.nl/plugins/id8525.cab
O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://www.cashmasters.nl/plugin/nl/net16/net16nl.exe
O16 - DPF: {A51DEDCD-20F7-11D4-98A5-00C0CA130748} - http://www.tintel.nl/download/tcw.cab
O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} (plug Class) - http://dist02.chargitdial.com/chargitplug.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

[Pieter Arntz]

Hoi huijb,

Deze mogen gefixed worden:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=C:\WINDOWS\System32\ms7531.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina=C:\WINDOWS\System32\ms7531.html
O16 - DPF: {1567488B-A6D9-444E-A7C0-D80934F54B73} - http://pms.localscripts.nl/plugins/ms7531.cab
O16 - DPF: {386498A4-FC45-4FB1-B275-4CD42C672D1A} - http://pms.localscripts.nl/plugins/id8525.cab
O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://www.cashmasters.nl/plugin/nl/net16/net16nl.exe
O16 - DPF: {A51DEDCD-20F7-11D4-98A5-00C0CA130748} - http://www.tintel.nl/download/tcw.cab
O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} (plug Class) - http://dist02.chargitdial.com/chargitplug.dll

Daarna opnieuw opstarten.
Laat voor de zekerheid nog even kijken of de nieuwste versie van HIjackThis no verdachte dingen oplevert.

Groetjes,

Pieter

 

[Kleinkramer]

Deze moeten gefixed (eerst even alle browservensters uit):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=C:\WINDOWS\System32\ms7531.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina=C:\WINDOWS\System32\ms7531.html

O16 - DPF: {1567488B-A6D9-444E-A7C0-D80934F54B73} - http://pms.localscripts.nl/plugins/ms7531.cab
O16 - DPF: {386498A4-FC45-4FB1-B275-4CD42C672D1A} - http://pms.localscripts.nl/plugins/id8525.cab
O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://www.cashmasters.nl/plugin/nl/net16/net16nl.exe
O16 - DPF: {A51DEDCD-20F7-11D4-98A5-00C0CA130748} - http://www.tintel.nl/download/tcw.cab
O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} (plug Class) - http://dist02.chargitdial.com/chargitplug.dll

Wis nu het bestand C:\WINDOWS\System32\ms7531.html.

Groetjes,

 

[Kleinkramer]

LOL! Ha, die Pieter!

Hmm, geen VB Code meer hier???

 

[huijb]

Zal ik doen Pieter. Ton kan ik alles met ms7351 weghalen? Staan er nl. nog al wat, oa. een JScript file maar ook een ms7351.mcs en een MS7351.clt en MS7351.ccm

 

[Pieter Arntz]

Oh?

Ton, het ziet ernaar uit dat we nu alle smilies met de hand moeten doen.

Huijb alles met ms7531 kan weg en indien aanwezig de map C:\Program Files\MS-Connect ook.

Groetjes,

Pieter

 

[vaat]

Geplaatst door huijb
Zal ik doen Pieter. Ton kan ik alles met ms7351 weghalen? Staan er nl. nog al wat, oa. een JScript file maar ook een ms7351.mcs en een MS7351.clt en MS7351.ccm

kan je rustig verwijderen

 

[huijb]

Bedankt. De log met de nieuwe Hijackthis zag er schoon uit. :thumb:

 

[Pieter Arntz]

Mooi zo, :thumb:

 

[lamasta]

thnx voor de hulp