Helpmij tegen spyware offensief

Pieter Arntz · 13 nov 2003

Hoi wullybully,

Goed werk. :thumb:

Groetjes,

Pieter

domi · 14 nov 2003

hyjackthis log

als je eens wil kijken ,alvast bedankt (ik heb gescand met ad aware)Logfile of HijackThis v1.97.6
Scan saved at 16:23:38, on 14-11-2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
G:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
G:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
G:\Program Files\Trust\Ami Mouse 250S Cordless\Amoumain.exe
G:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
G:\Program Files\Siber Systems\AI RoboForm\RoboFormWatcher.exe
G:\Program Files\ISTsvc\istsvc.exe
G:\WINDOWS\System32\ctfmon.exe
G:\Program Files\MSN Messenger\MsnMsgr.Exe
G:\WINDOWS\System32\RUNDLL32.EXE
G:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
G:\Program Files\Netropa\Onscreen Display\OSD.exe
G:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
G:\WINDOWS\System32\nvsvc32.exe
G:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
G:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
c:\Program Files\Internet Optimizer\optimize.exe
c:\program files\comsoft\dialers\easydates_be\easydates_be.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\WinRAR\WinRAR.exe
G:\DOCUME~1\DOMINI~1\LOCALS~1\Temp\Rar$EX00.654\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hbvl.be/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hbvl.be/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - G:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - G:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [pccguide.exe] "G:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "G:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "G:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] G:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [RoboForm] G:\Program Files\Siber Systems\AI RoboForm\RoboFormWatcher.exe
O4 - HKLM\..\Run: [EasyDates_be] C:\Program Files\ComSoft\Dialers\EasyDates_be\EasyDates_be.exe /dontdial
O4 - HKLM\..\Run: [IST Service] G:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "G:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &2 Customize Menu - res://G:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll/ComCustomIEMenu.html
O8 - Extra context menu item: &7 Fill Forms - res://G:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll/ComFillForms.html
O8 - Extra context menu item: &8 Save Forms - res://G:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll/ComSavePass.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://G:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: &7 Fill Forms (HKLM)
O9 - Extra button: Save Forms (HKLM)
O9 - Extra 'Tools' menuitem: &8 Save Forms (HKLM)
O9 - Extra button: RF toolbar (HKLM)
O9 - Extra 'Tools' menuitem: &9 Robo Toolbar (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: FortisCzPc - https://www.fortisbanking.be/FortisCzPC.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37935.3725
O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} - http://econnect.libereco.net/econnect.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/crack.CAB

Pieter Arntz · 14 nov 2003

Hoi domi,

Vink de onderstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [EasyDates_be] C:\Program Files\ComSoft\Dialers\EasyDates_be\EasyDates_be.exe /dontdial
O4 - HKLM\..\Run: [IST Service] G:\Program Files\ISTsvc\istsvc.exe

O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} - http://econnect.libereco.net/econnect.cab

O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/crack.CAB

Start dan opnieuw op, liefst in veilige modus en verwijder:
G:\Program Files\ISTsvc <= de hele map
C:\Program Files\ComSoft <= de hele map

Groetjes,

Pieter

imr · 14 nov 2003

hijack scan

hello,
volgende hijac scan (na eerst adaware en spybot losgelaten te hebben).
Kun je ff checken?
Alvast bedankt!

Logfile of HijackThis v1.97.6
Scan saved at 20:53:11, on 14/11/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINZIP\winzip32.exe
C:\Documents and Settings\Eigenaar\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mypip.nl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.telenet.be
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telenet.be
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.telenet.be
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Telenet Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.telenet.be:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = http://www.telenet.be
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\Adobe\Acrobat Reader 5\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Antivirus\NavShExt.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.telenet.be
O15 - Trusted Zone: http://www.belgiumfxp.com
O16 - DPF: ConferenceRoom Java Client - http://irc.rendez-vous.be:8000/java/cr.cab
O16 - DPF: FortisCzPc - https://www.fortisbanking.be/FortisCzPC.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {214868A8-F71B-473E-8ECF-6EE1DE6B91D8} -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/nl/win/QuickTimeInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37876.5750578704
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

Pieter Arntz · 14 nov 2003

Hoi imr,

Vink de onderstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked:

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB

Dan opnieuw opstarten.

Groetjes,

Pieter

hawkie · 14 nov 2003

Hallo , ben met een pc van een vriendin bezig: heb zojuist het blastervirus verwijderd, heb met adaware en spybot gescand. Ben benieuwd wat er nog weg kan:

Logfile of HijackThis v1.97.6
Scan saved at 22:25:03, on 14-11-2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\wendy bosker\Local Settings\Temp\Tijdelijke map 1 voor hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.planet.nl/zoeken/ie5
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.planet.nl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://signup.wanadoo.nl/cgi-bin/We...l?LOGIN=c1790046@wanadoo.nl&PASSWORD=ZiYxp95s
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.planet.nl
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.2180324074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C72DF60-776D-4A28-90E2-569FCAC743F4}: NameServer = 194.134.5.5 194.134.0.97
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C72DF60-776D-4A28-90E2-569FCAC743F4}: NameServer = 194.134.5.5 194.134.0.97

imr · 14 nov 2003

thx Pieter!

Pieter Arntz · 14 nov 2003

Geplaatst door margaNo
Hallo , ben met een pc van een vriendin bezig: heb zojuist het blastervirus verwijderd, heb met adaware en spybot gescand. Ben benieuwd wat er nog weg kan:

Ziet er netjes uit zo margaNo. :thumb:

Groetjes,

Pieter

hawkie · 15 nov 2003

Oke Pieter bedankt weer voor de snelle service

:thumb:

Compmaniac · 15 nov 2003

Hoi Pieter

Dit is mijn Hijack log:

Logfile of HijackThis v1.97.6
Scan saved at 14:44:51, on 15-11-2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svcpack.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\NORMAN\nvc\BIN\ZLH.EXE
C:\Program Files\Canon\MultiPASS4\monitr32.exe
C:\WINDOWS\System32\fxredir.exe
C:\Program Files\Canon\MultiPASS4\MPTBox.exe
C:\WINDOWS\System32\msrexe.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\svchost.exe
C:\Program Files\GMSoft\Dialers\Hot_nl\Hot_nl.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Wanadoo\NL\Mnu\IGOMNU.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Norman\NVC\BIN\Zanda.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\slserv.exe
C:\NORMAN\nvc\BIN\NVCSCHED.EXE
C:\NORMAN\nvc\BIN\NYMSE.EXE
C:\NORMAN\nvc\BIN\NJEEVES.EXE
C:\NORMAN\nvc\BIN\nvcoas.exe
C:\NORMAN\nvc\BIN\cclaw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Rogier A. Huffnagel\Local Settings\Temp\Tijdelijke map 1 voor hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://approvedlinks.com/main/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hand-book.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hand-book.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hand-book.com/hp/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://xwebsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hand-book.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hand-book.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.hand-book.com/search/
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http:///
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hand-book.com/hp/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hand-book.com/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hand-book.com/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/w/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hand-book.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.hand-book.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hand-book.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.hand-book.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://66.250.57.28/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.hand-book.com/search/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcpack.exe
O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
O1 - Hosts: 198.65.164.168 00hq.com
O1 - Hosts: 198.65.164.168 8ad.com
O1 - Hosts: 198.65.164.168 searchv.com
O1 - Hosts: 198.65.164.168 www.searchv.com
O1 - Hosts: 198.65.164.168 008k.com
O1 - Hosts: 198.65.164.168 www.008k.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\System32\DReplace.dll
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} - C:\WINDOWS\mscpai.dll
O3 - Toolbar: Telefoongids Zoekbalk - {904691A1-C588-4B27-BC47-D8599EDB3F97} - C:\Program Files\TelefoonToolbar\TelefoonBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe
O4 - HKLM\..\Run: [MPTBox] C:\Program Files\Canon\MultiPASS4\MPTBox.exe
O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [Msoffice] C:\WINDOWS\Fonts\msoffice.hta
O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [Hot_nl] C:\Program Files\GMSoft\Dialers\Hot_nl\Hot_nl.exe /dontdial
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Wanadoo Menu] C:\Program Files\Wanadoo\NL\Mnu\IGOMNU.EXE /S:T
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [iedll] C:\Program Files\Windows Media Player\iedll.exe
O4 - HKCU\..\Run: [loader] C:\Program Files\Windows Media Player\loader.exe
O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\AddClass.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Telefoongids (HKLM)
O9 - Extra 'Tools' menuitem: Telefoongids Zoekbalk (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O13 - WWW Prefix: http://ehttp.cc/?
O13 - WWW. Prefix: http://ehttp.cc/?
O15 - Trusted Zone: *.pluginaccess.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O19 - User stylesheet: C:\WINDOWS\my.css
O19 - User stylesheet: C:\WINDOWS\my.css (HKLM)

Zou je hem ff voor mij willen bekijken? Ook kan ik niet meer in het scherm komen waar je je startpagina kan instellen en waar je geschiedenis kan aanpassen. Weet jij hoe ik die weer terug krijg?

groetjes,

compmaniac

Pieter Arntz · 15 nov 2003

Geplaatst door Compmaniac

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://approvedlinks.com/main/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hand-book.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hand-book.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hand-book.com/hp/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://xwebsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hand-book.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hand-book.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.hand-book.com/search/
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http:///
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hand-book.com/hp/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hand-book.com/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hand-book.com/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/w/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hand-book.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.hand-book.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hand-book.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.hand-book.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://66.250.57.28/

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.hand-book.com/search/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcpack.exe
O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
O1 - Hosts: 198.65.164.168 00hq.com
O1 - Hosts: 198.65.164.168 8ad.com
O1 - Hosts: 198.65.164.168 searchv.com
O1 - Hosts: 198.65.164.168 www.searchv.com
O1 - Hosts: 198.65.164.168 008k.com
O1 - Hosts: 198.65.164.168 www.008k.com

O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\System32\DReplace.dll
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} - C:\WINDOWS\mscpai.dll

O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [Msoffice] C:\WINDOWS\Fonts\msoffice.hta
O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [Hot_nl] C:\Program Files\GMSoft\Dialers\Hot_nl\Hot_nl.exe /dontdial

O4 - HKCU\..\Run: [iedll] C:\Program Files\Windows Media Player\iedll.exe
O4 - HKCU\..\Run: [loader] C:\Program Files\Windows Media Player\loader.exe
O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\AddClass.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O13 - WWW Prefix: http://ehttp.cc/?
O13 - WWW. Prefix: http://ehttp.cc/?
O15 - Trusted Zone: *.pluginaccess.com
O19 - User stylesheet: C:\WINDOWS\my.css
O19 - User stylesheet: C:\WINDOWS\my.css (HKLM)

Zou je hem ff voor mij willen bekijken? Ook kan ik niet meer in het scherm komen waar je je startpagina kan instellen en waar je geschiedenis kan aanpassen. Weet jij hoe ik die weer terug krijg?

groetjes,

compmaniac

Vink de bovenstaande aan, sluit alle vensters behalve HijackThis en klik dan op Fix checked.

Dan opnieuw opstarten en deze verwijderen:
C:\WINDOWS\System32\svcpack.exe
C:\WINDOWS\sys.reg
C:\WINDOWS\System32\msrexe.exe
C:\WINDOWS\Fonts\msoffice.hta
C:\WINDOWS\svchost.exe <= let op dat je de goede verwijderd, de echte staat namelijk in de System32 map
C:\Program Files\GMSoft <= de hele map
C:\Program Files\Windows Media Player\iedll.exe
C:\Program Files\Windows Media Player\loader.exe
C:\WINDOWS\AddClass.exe
C:\WINDOWS\my.css

Je zou dan ook weer zelf in je instellingen van IE moeten kunnen.

Download, unzip en run daarna CWShredder voor de zekerheid.

Groetjes,

Pieter

UTAH · 15 nov 2003

Ziehier mijn hijack logfiles ter controle tegen een vermeende virusmelding van trojan horse..........
Had dit geplaatst op virus>geinfecteerd na melding van member gezina.
Heb een ad-aware scan uitgevoerd en alle gevonden spyware verwijdert, maar probleem is nog steeds niet opgeloZiehier startuplist en hijackfile.log ter controle.

STARTUPLIST:

StartupList report, 12/11/2003, 19:23:46
StartupList version: 1.52
Started from : C:\DOCUME~1\JOSBRO~1\LOCALS~1\Temp\~AceTemp\hijackthis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Office mouse\1.1\moffice.exe
C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Open Site\opnste.exe
C:\Program Files\Office mouse\1.1\MOUSE32A.DAT
C:\Program Files\Panicware\Pop-Up Stopper Professional\PopUpStopperProfessional.exe
C:\Program Files\MSN\MSNIA\msniasvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\COMMON~2\ADDRES~1\comwiz.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinAce\WinAce.exe
C:\DOCUME~1\JOSBRO~1\LOCALS~1\Temp\~AceTemp\hijackthis\HijackThis.exe
C:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
AVG_CC = C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
SoundMan = SOUNDMAN.EXE
MessengerPlus2 = "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
SpeedTouch USB Diagnostics = "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
FLMOFFICE4DMOUSE = C:\Program Files\Office mouse\1.1\moffice.exe
winnet = C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
Open Site = C:\Program Files\Open Site\opnste.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

SystemSAS = system32.exe
CMD = cmd32.exe
Microsoft Cvrt = mscvrt32.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

NVIEW = rundll32.exe nview.dll,nViewLoadHook
PopUpStopperProfessional = "C:\Program Files\Panicware\Pop-Up Stopper Professional\PopUpStopperProfessional.exe"

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

[Setup]
WMAFile = regsvr32.exe /s C:\WINDOWS\System32\NCTWMAFile2.dll
AudioTransform = C:\WINDOWS\System32\regsvr32.exe /s C:\WINDOWS\System32\NCTAudioTransform.dll
AudioRecord = C:\WINDOWS\System32\regsvr32.exe /s C:\WINDOWS\System32\NCTAudioRecord.dll
AudioPlayer = C:\WINDOWS\System32\regsvr32.exe /s C:\WINDOWS\System32\NCTAudioPlayer.dll
AudioInformation = C:\WINDOWS\System32\regsvr32.exe /s C:\WINDOWS\System32\NCTAudioInformation.dll
AudioGrabber = C:\WINDOWS\System32\regsvr32.exe /s C:\WINDOWS\System32\NCTAudioGrabber.dll
AudioFile = C:\WINDOWS\System32\regsvr32.exe /s C:\WINDOWS\System32\NCTAudioFile.dll
AudioEditor = regsvr32.exe /s C:\WINDOWS\System32\NCTAudioEditor2.dll
Playback Engine = C:\WINDOWS\System32\regsvr32.exe /s C:\WINDOWS\System32\bw6mdr51.ocx
Skin Engine = C:\WINDOWS\System32\regsvr32.exe /s C:\WINDOWS\System32\ActiveSkin.ocx
MFC42 = regsvr32.exe /s mfc42.dll
Imaging Engine = regsvr32.exe /s C:\WINDOWS\System32\ltocx13n.ocx
Video Editor = regsvr32.exe /s C:\WINDOWS\System32\DSEditor.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe C:\WINDOWS\System32\cmd32.exe
SCRNSAVE.EXE=C:\WINDOWS\NVIDIA~1.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

BabeIE - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll - {00000000-0000-0000-0000-000000000000}
(no name) - C:\Program Files\DAP\DAPBHO.dll (file missing) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852}
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\whattn.dll - {10955232-B671-11D7-8066-0040F6F477E4}
(no name) - C:\DOCUME~1\REINHI~2\APPLIC~1\gdxstdrgrfr.dll - {6e73da81-a80f-49ee-ad8d-e8fefd99ffb1}
(no name) - C:\WINDOWS\newones.dll - {D7D7004C-A763-4F8C-B0D4-55A7E017E69D}

--------------------------------------------------

Enumerating Download Program Files:

[Checkers Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\msgrchkr.dll
CODEBASE = http://messenger.zone.msn.com/binary/msgrchkr.cab

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/...director/sw.cab

[UCSearch.ucUCSearch]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\UCSearch.ocx
CODEBASE = http://www.armbender.com/UCSearch.CAB

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[Cult3D ActiveX Player]
InProcServer32 = C:\WINDOWS\System32\Cult3D\IECult.dll
CODEBASE = http://www.cult3d.com/download/cult.cab

[{421A63BA-4632-43E0-A942-3B4AB645BE51}]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\IWCHECK.DLL
CODEBASE = http://64.156.188.99/iwasher/pptpro...etwasherpro.cab

[OPUCatalog Class]
InProcServer32 = C:\WINDOWS\System32\opuc.dll
CODEBASE = http://office.microsoft.com/product...ontent/opuc.cab

[GSDACtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\gsda.dll
CODEBASE = https://www.gamespyid.com/alaunch.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zone.msn.com/binar...StatsClient.cab

[InstallShield International Setup Player]
InProcServer32 = c:\windows\downlo~1\isetup.dll
CODEBASE = http://www.installengine.com/engine/isetup.cab

[NPKXSite Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\npkxsite.ocx
CODEBASE = http://kr.pristontale.com/nprotect/...pt/npkxsite.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.c...7580.1408796296

[{A19A291A-9653-4498-93F6-5BA06CF699D8}]
CODEBASE = http://download.peopleonpage.com/po.../ax/PopLoad.cab

[download Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\vxpspeeddelivery.dll
CODEBASE = http://www.gigex.com/ActiveX/vxpspeeddelivery.dll

[Mophun Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\mophun.ocx
CODEBASE = http://www.mophun.com/codebase/mophun.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://sc.communities.msn.com/contr...UC/MsnPUpld.cab

[NPX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\npx.ocx
CODEBASE = http://kr.pristontale.com/nprotect/nprotect/npx.cab

[PhotosCtrl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\YPhotos.dll
CODEBASE = http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/pu...ash/swflash.cab

[Secure Delivery]
CODEBASE = http://www.gamespot.com/KDX/kdx.cab

[MSN Chat Control 4.5]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSNChat45.ocx
CODEBASE = http://sc.communities.msn.com/contr...t/msnchat45.cab

[Tukati Launcher]
InProcServer32 = C:\WINDOWS\System32\TukatiClientInstaller.dll
CODEBASE = http://3dgamers.tukati.com/tukati/1.7.20.20/tukati.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan51.ocx
CODEBASE = http://www.housecall.nl/housecall/xscan4.cab

[{FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75}]
CODEBASE = http://download.redswoosh.com/Installer/rsinstaller.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
UPnPMonitor: C:\WINDOWS\System32\upnpui.dll

--------------------------------------------------
End of report, 10.153 bytes
Report generated in 0,016 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

HIJACK LIST 12-11-03

Logfile of HijackThis v1.97.6
Scan saved at 19:30:35, on 12/11/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Office mouse\1.1\moffice.exe
C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Open Site\opnste.exe
C:\Program Files\Office mouse\1.1\MOUSE32A.DAT
C:\Program Files\Panicware\Pop-Up Stopper Professional\PopUpStopperProfessional.exe
C:\Program Files\MSN\MSNIA\msniasvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\COMMON~2\ADDRES~1\comwiz.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\WinAce\WinAce.exe
C:\DOCUME~1\JOSBRO~1\LOCALS~1\Temp\~AceTemp\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...aults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/MS-Connect/Portal/portal.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.huntbar.com/ie.asp?aff=1452
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\cmd32.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\cmd32.exe
O1 - Hosts: 216.93.168.167 auto.search.msn.com
O1 - Hosts: 216.93.168.167 sitefinder.verisign.com
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {10955232-B671-11D7-8066-0040F6F477E4} - C:\WINDOWS\whattn.dll
O2 - BHO: (no name) - {6e73da81-a80f-49ee-ad8d-e8fefd99ffb1} - C:\DOCUME~1\REINHI~2\APPLIC~1\gdxstdrgrfr.dll
O2 - BHO: (no name) - {D7D7004C-A763-4F8C-B0D4-55A7E017E69D} - C:\WINDOWS\newones.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SuperBar - {E6BAE9C6-35DA-4E97-895D-05AEC7BE0D28} - C:\Program Files\SuperBar\SuperBar.Dll (file missing)
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: qeeeecrthgl - {edd843df-fa0a-4aa1-9ef7-413ad8218e05} - C:\DOCUME~1\REINHI~2\APPLIC~1\gdxstdrgrfr.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Office mouse\1.1\moffice.exe
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
O4 - HKLM\..\Run: [Open Site] C:\Program Files\Open Site\opnste.exe
O4 - HKLM\..\RunServices: [SystemSAS] system32.exe
O4 - HKLM\..\RunServices: [CMD] cmd32.exe
O4 - HKLM\..\RunServices: [Microsoft Cvrt] mscvrt32.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\Program Files\Panicware\Pop-Up Stopper Professional\PopUpStopperProfessional.exe"
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...director/sw.cab
O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} (UCSearch.ucUCSearch) - http://www.armbender.com/UCSearch.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://64.156.188.99/iwasher/pptpro...etwasherpro.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/product...ontent/opuc.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...StatsClient.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A19966F-AE0E-4699-8CCE-9B6F5F1C352C} (NPKXSite Control) - http://kr.pristontale.com/nprotect/...pt/npkxsite.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...7580.1408796296
O16 - DPF: {A19A291A-9653-4498-93F6-5BA06CF699D8} - http://download.peopleonpage.com/po.../ax/PopLoad.cab
O16 - DPF: {A7798D6C-C6B5-4F26-9363-F7CDBBFFA607} (download Class) - http://www.gigex.com/ActiveX/vxpspeeddelivery.dll
O16 - DPF: {AE609930-A6EB-4A78-B7DA-B3200705FEBD} (Mophun Control) - http://www.mophun.com/codebase/mophun.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/contr...UC/MsnPUpld.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pu...ash/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://sc.communities.msn.com/contr...t/msnchat45.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://3dgamers.tukati.com/tukati/1.7.20.20/tukati.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.com/Installer/rsinstaller.cabst.

Bij voorbaat dank.
UTAH

Pieter Arntz · 15 nov 2003

Hoi UTAH,

Als je hiermee klaarbent moet je in AdAware nog even de update van vandaag ophalen en opnieuw scannen.

Vink de onderstaande aan, sluit alle vensters behalve HijackThis en klik dan op Fix checked.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...aults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/MS-Connect/Portal/portal.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.huntbar.com/ie.asp?aff=1452
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\cmd32.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\cmd32.exe
O1 - Hosts: 216.93.168.167 auto.search.msn.com
O1 - Hosts: 216.93.168.167 sitefinder.verisign.com
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll (file missing)

O2 - BHO: (no name) - {10955232-B671-11D7-8066-0040F6F477E4} - C:\WINDOWS\whattn.dll
O2 - BHO: (no name) - {6e73da81-a80f-49ee-ad8d-e8fefd99ffb1} - C:\DOCUME~1\REINHI~2\APPLIC~1\gdxstdrgrfr.dll
O2 - BHO: (no name) - {D7D7004C-A763-4F8C-B0D4-55A7E017E69D} - C:\WINDOWS\newones.dll

O3 - Toolbar: SuperBar - {E6BAE9C6-35DA-4E97-895D-05AEC7BE0D28} - C:\Program Files\SuperBar\SuperBar.Dll (file missing)

O3 - Toolbar: qeeeecrthgl - {edd843df-fa0a-4aa1-9ef7-413ad8218e05} - C:\DOCUME~1\REINHI~2\APPLIC~1\gdxstdrgrfr.dll

O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
O4 - HKLM\..\Run: [Open Site] C:\Program Files\Open Site\opnste.exe
O4 - HKLM\..\RunServices: [SystemSAS] system32.exe
O4 - HKLM\..\RunServices: [CMD] cmd32.exe
O4 - HKLM\..\RunServices: [Microsoft Cvrt] mscvrt32.exe

O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} (UCSearch.ucUCSearch) - http://www.armbender.com/UCSearch.CAB

O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://64.156.188.99/iwasher/pptpro...etwasherpro.cab

O16 - DPF: {9A19966F-AE0E-4699-8CCE-9B6F5F1C352C} (NPKXSite Control) - http://kr.pristontale.com/nprotect/...pt/npkxsite.cab

O16 - DPF: {A19A291A-9653-4498-93F6-5BA06CF699D8} - http://download.peopleonpage.com/po.../ax/PopLoad.cab
O16 - DPF: {A7798D6C-C6B5-4F26-9363-F7CDBBFFA607} (download Class) - http://www.gigex.com/ActiveX/vxpspeeddelivery.dll
O16 - DPF: {AE609930-A6EB-4A78-B7DA-B3200705FEBD} (Mophun Control) - http://www.mophun.com/codebase/mophun.cab

O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab

O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.com/Insta...nstaller.cabst.

Start daarna opnieuw op en verwijder:
C:\Program Files\SuperBar <= de hele folder
C:\PROGRAM FILES\COMMONNAME <= de hele folder
system32.exe <= let op, alleen het bestand, niet de map
cmd32.exe
mscvrt32.exe

En wil je deze map even zippen en naar me mailen. (Zie eerste bericht)
LOL map vergeten erbij te zetten: C:\Program Files\Open Site

Groetjes,

Pieter

wullybully · 15 nov 2003

nog een log van een vriend van mij, wederom bedankt!

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {767549a0-b096-11d7-9bbe-00c04f08af79} - C:\WINDOWS\APPLICATION DATA\DLLOOJYGP.DLL
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: eouqstjrzth - {767549a1-b096-11d7-9bbe-00c04f08af79} - C:\WINDOWS\APPLICATION DATA\DLLOOJYGP.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [lygll] C:\WINDOWS\APPLIC~1\rouiiezl.exe -QuieT
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Diskstart] C:\WINDOWS\SYSTEM\CODE.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Internet Security\NISUM.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] C:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
O4 - HKLM\..\RunServices: [GhostStartService] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00030413-78E1-11D2-B60F-006097C998E7}\misc.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Run DAP (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

Pieter Arntz · 15 nov 2003

Hoi wullybully,

O2 - BHO: (no name) - {767549a0-b096-11d7-9bbe-00c04f08af79} - C:\WINDOWS\APPLICATION DATA\DLLOOJYGP.DLL

O3 - Toolbar: eouqstjrzth - {767549a1-b096-11d7-9bbe-00c04f08af79} - C:\WINDOWS\APPLICATION DATA\DLLOOJYGP.DLL

O4 - HKLM\..\Run: [lygll] C:\WINDOWS\APPLIC~1\rouiiezl.exe -QuieT

O4 - HKLM\..\Run: [Diskstart] C:\WINDOWS\SYSTEM\CODE.EXE

O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00030413-78E1-11D2-B60F-006097C998E7}\misc.exe

O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsol...ArcadeRdxIE.cab

Start dan opnieuw op en verwijder:
C:\WINDOWS\APPLICATION DATA\rouiiezl.exe
C:\WINDOWS\SYSTEM\CODE.EXE
C:\Program Files\Startportal <= hele map

en kijk je favorieten even na op toegevoegde mappen.

Groetjes,

Pieter

wullybully · 15 nov 2003

onwijs bedankt pieter!!

Petra99 · 16 nov 2003

Zou je nog een keer willen kijken?

Logfile of HijackThis v1.97.6
Scan saved at 12:56:10 PM, on 11/16/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Support.com\bin\tgcmd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security

Professional\NISUM.EXE
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Norton Internet Security

Professional\ccPxySvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC05.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bob en Petra\Local

Settings\Temp\Tijdelijke map 1 voor

hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page

= http://home.nld.chello.nl/
R0 - HKCU\Software\Microsoft\Internet

Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -

C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus -

{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program

Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon

initialize
O4 - HKLM\..\Run: [EM_EXEC]

C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common

Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common

Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check]

C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [tgcmd]

"C:\PROGRA~1\Support.com\bin\tgcmd.exe" /server /startmonitor

/deaf
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program

Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKCU\..\Run: [MSMSGS] "C:\Program

Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Exif Launcher.lnk = C:\Program

Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program

Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail

Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA

Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {1D185838-009D-47C8-824B-B65B4854430E}

(chelloInstall.Install) -

http://quickfix2.chello.nl/quickfix2/asp/chelloInstall.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter

Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader

Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update

Class) -

http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB

?37925.052037037
O16 - DPF: {C58EFA10-2CC0-4C50-8C77-B326555EC1B7}

(LaunchApp.clsDefault) -

http://quickfix2.chello.nl/quickfix2/asp/LaunchApp.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave

Flash Object) -

http://download.macromedia.com/pub/shockwave/cabs/flash/swflash

.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX

Control) - https://gto.postbank.nl/GTO/PBGNX.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader

Class) -

http://www2.incredimail.com/contents/setup/downloader/imloader.

cab

De PC is errug traag op het moment, twee weken geleden compleet opnieuw geinstalleerd.

Petra99 · 16 nov 2003

4 x virus verwiderd

`4x trojan bytverify verwijderd

beyond.class
blackBOx.class
Dummy.class
VerifierBug.class

Dit ondanks Norton firewall .

streamtec · 16 nov 2003

hijackthislog

wil je zo vriendelijk zijn om deze even na te kijken?
Logfile of HijackThis v1.97.3
Scan saved at 15:20:48, on 16-11-03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ESSOLO.EXE
C:\IBMTOOLS\APTEZBTN\APTEZBP.EXE
C:\PROGRAM FILES\TRUST\AMI MOUSE 250S CORDLESS\AMOUMAIN.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dev.ntcor.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.nl/Default.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.brunssum.net:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ESSOLO] ESSOLO.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AEZBProc] c:\ibmtools\aptezbtn\aptezbp.exe
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Taakcontrole] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKLM\..\RunOnce: [ForceShow] rundll32.exe C:\WINDOWS\DOWNLO~1\QABAR.DLL,ForceShowBar
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37865.5178356481
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/access/sdccommon/download/IbmEgath.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc/opuc.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab

LaBelgique · 16 nov 2003

Kan je onderstaande HijackThis logfile controleren aub.
Dank bij voorbaat van LaBelgique !
Is een reactie op de ontvangen feedback van mijn vraag dd.15nov2003 over spyware> bestand cnbabe.dll

Heb een ad-aware versie 6.181 scan uitgevoerd en kreeg na quarantaine plaatsing en verwijdering nog volgende melding:
Some objects could not be removed.
C:\WINDOWS\SYSTEM32\mo030414s.dll
C:\program files\clearsearch\ie_clrsch.dll
C:\program files\clearsearch\loader.exe
Ik heb deze voorlopig laten staan. Verwijderen?

Logfile of HijackThis v1.97.6
Scan saved at 15:25:17, on 16/11/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\WinServices.exe
C:\PROGRA~1\Medion\POWERV~1\Agent.exe
C:\PROGRA~1\CLEARS~1\Loader.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
C:\WINDOWS\System32\rundll32.exe
C:\DOCUME~1\DEFINI~1\APPLIC~1\ssglgrkv.exe
C:\WINDOWS\System32\code.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\louis\LOCALS~1\Temp\Arv1.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\ZONEAL~1.EXE
C:\Program Files\Microsoft Office\Office\1043\msoffice.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\tcpsvs32.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~4\Office\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\DOCUME~1\louis\LOCALS~1\Temp\TIJDEL~3.ZIP\HIJACK~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tijd.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = +s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = +s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pandora.be
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.pandora.be:8080/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.pandora.be:8080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Startportal/Portal/portal.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://breedband.telenet.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.huntbar.com/ie.asp?aff=1452
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44A} - C:\WINDOWS\System32\stlbupdt.DLL
O2 - BHO: (no name) - {413EBB03-5E23-4034-AED2-326487E5BCA8} - C:\WINDOWS\system32\mo030414s.dll
O2 - BHO: (no name) - {45E64E66-DA86-4C97-B546-B17F0DA56A07} - C:\WINDOWS\system32\mbqji.dll
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O2 - BHO: (no name) - {f74aaa82-b1c4-4d9a-878f-27566934189d} - C:\DOCUME~1\DEFINI~1\APPLIC~1\ctpouwshtr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C2-5297EF71F44B} - C:\WINDOWS\System32\stlbupdt.DLL
O3 - Toolbar: gloonoussvs - {b880384c-761d-45ce-a3c3-0d06f8b5df6b} - C:\DOCUME~1\DEFINI~1\APPLIC~1\ctpouwshtr.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKLM\..\Run: [Agent] C:\Program Files\Medion\PowerVCR II\Agent.exe
O4 - HKLM\..\Run: [Remote_Agent] C:\Program Files\Medion\PowerVCR II\RemoteAgent.exe
O4 - HKLM\..\Run: [Realtime Audio Engine] mmrtkrnl.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\Winnet.exe
O4 - HKLM\..\Run: [WinServices] C:\WINDOWS\System32\WinServices.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINDOWS\System32\stlbupdt.DLL,DllRunMain
O4 - HKLM\..\Run: [zSPGuard] c:\progra~1\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [ckwsht] C:\DOCUME~1\DEFINI~1\APPLIC~1\ssglgrkv.exe -QuieT
O4 - HKLM\..\Run: [rb32 lptt01] "C:\Program Files\rb32\rb32.exe"
O4 - HKLM\..\Run: [Diskstart] C:\WINDOWS\System32\code.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Onderzoekscentrum (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.pandora.be
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37617.5937962963
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

Helpmij tegen spyware offensief

Spywareslayer

Gebruiker

Spywareslayer

Gebruiker

Spywareslayer

Gebruiker

Gebruiker

Spywareslayer

Gebruiker

Gebruiker

Spywareslayer

Gebruiker

Spywareslayer

Gebruiker

Spywareslayer

Gebruiker

Gebruiker

Gebruiker

Gebruiker

Gebruiker

Wij waarderen jouw privacy