hijack log voor een vriend

[fener33]

hoi buffy of hans

een vriend van mij. heeft vreselijke problemen met spyware. waardoor hij een langzame pc heeft. ad-aware se en virus controller en cw-shrreder zijn er over geweest
nou nog de rest.


Logfile of HijackThis v1.98.2
Scan saved at 18:41:44, on 13-9-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\TDK Systems\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\TDK Systems\Bluetooth Software\BTTray.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TDKSYS~1\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TDK Systems\Bluetooth Software\BTTray.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\PROGRA~1\TDKSYS~1\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\TDK Systems\Bluetooth Software\BTTray.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\PROGRA~1\TDKSYS~1\BLUETO~1\BTSTAC~1.EXE
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Michel\My Documents\Mijn ontvangen bestanden\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.starwars.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.cruhuacgspstvt.net/M257HstmSIxKisfvawDx5apGn0wqg5im7VeIp4zUwuiLz6YADdhzuVQOE7sqdHhv.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7D42CF6A-7F73-20A3-556D-A1632E206197} - C:\PROGRA~1\METAEQ~1\Slow Army.exe
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [playexit] C:\PROGRA~1\OKAYBL~1\UserTrans.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [README BEEP PHONE COAL] C:\Documents and Settings\All Users\Application Data\Meow Drive Readme Beep\Okay cake.exe
O4 - HKLM\..\Run: [DPMApp] "C:\Program Files\Philips Speech\DPMApp.exe" /h
O4 - HKLM\..\RunOnce: [AAW] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [StartPage] C:\windows\rundll32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\TDK Systems\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\TDK Systems\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {09CAC315-9D88-42AA-11A2-7EA86BE207FB} - http://66.117.42.151/1/gdnNL19.exe
O16 - DPF: {0ECE9869-B93F-06E4-505C-2010166B51B7} - http://66.117.42.151/1/gdnNL19.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.13/11225/online.chm::/on-line.exe
O16 - DPF: {117D3316-6BE7-75CC-5A96-15832FD9B98B} - http://66.117.42.151/1/rdgNL19.exe
O16 - DPF: {12D5B3BE-8CAD-59BA-4661-72F376C15052} - http://66.117.42.151/1/gdnNL19.exe
O16 - DPF: {18153E2D-6E82-2748-1EB0-26C52AB920EA} - http://66.117.42.151/1/rdgNL19.exe
O16 - DPF: {1A0EDC84-2F6B-4AB9-89BC-5B942B27CAAD} - http://66.117.42.151/1/rdgNL19.exe
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.147/060570/nl/adult1/adult1.exe
O16 - DPF: {3A0BF10E-BE50-158A-017F-1E34430E1A56} - http://66.117.42.151/1/rdgNL19.exe
O16 - DPF: {3D84B3BD-D2F7-2D5D-2FD1-58415CC66785} - http://66.117.42.151/1/rdgNL19.exe
O16 - DPF: {54D5AB3B-2B2A-3DA2-2C1C-77820713F80E} - http://66.117.42.151/1/gdnNL19.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/06d05e81772e6bfffb05/netzip/RdxIE601.cab
O16 - DPF: {571B3855-047D-7FC8-C94D-61853547E8E5} - http://66.117.42.151/1/gdnNL19.exe
O16 - DPF: {5DC97101-0FAE-7DE8-D541-603A054C1029} - http://66.117.42.151/1/rdgNL19.exe
O16 - DPF: {7448FBBA-A76F-0765-4E37-466702B29E93} - http://66.117.42.151/1/rdgNL19.exe
O16 - DPF: {79EBF2DF-2636-29D0-C846-54E31D7C2CB9} - http://66.117.42.151/1/gdnNL19.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

 

[buffy]

Geplaatst door fener33

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.cruhuacgspstvt.net/M257HstmSIxKisfvawDx5apGn0wqg5im7VeIp4zUwuiLz6YADdhzuVQOE7sqdHhv.html

O2 - BHO: (no name) - {7D42CF6A-7F73-20A3-556D-A1632E206197} - C:\PROGRA~1\METAEQ~1\Slow Army.exe
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)

O4 - HKLM\..\Run: [playexit] C:\PROGRA~1\OKAYBL~1\UserTrans.exe
O4 - HKLM\..\Run: [README BEEP PHONE COAL] C:\Documents and Settings\All Users\Application Data\Meow Drive Readme Beep\Okay cake.exe
O4 - HKCU\..\Run: [StartPage] C:\windows\rundll32.exe

O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {09CAC315-9D88-42AA-11A2-7EA86BE207FB} - http://66.117.42.151/1/gdnNL19.exe
O16 - DPF: {0ECE9869-B93F-06E4-505C-2010166B51B7} - http://66.117.42.151/1/gdnNL19.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.13/11225/online.chm::/on-line.exe
O16 - DPF: {117D3316-6BE7-75CC-5A96-15832FD9B98B} - http://66.117.42.151/1/rdgNL19.exe
O16 - DPF: {12D5B3BE-8CAD-59BA-4661-72F376C15052} - http://66.117.42.151/1/gdnNL19.exe
O16 - DPF: {18153E2D-6E82-2748-1EB0-26C52AB920EA} - http://66.117.42.151/1/rdgNL19.exe
O16 - DPF: {1A0EDC84-2F6B-4AB9-89BC-5B942B27CAAD} - http://66.117.42.151/1/rdgNL19.exe
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.147/060570/nl/adult1/adult1.exe
O16 - DPF: {3A0BF10E-BE50-158A-017F-1E34430E1A56} - http://66.117.42.151/1/rdgNL19.exe
O16 - DPF: {3D84B3BD-D2F7-2D5D-2FD1-58415CC66785} - http://66.117.42.151/1/rdgNL19.exe
O16 - DPF: {54D5AB3B-2B2A-3DA2-2C1C-77820713F80E} - http://66.117.42.151/1/gdnNL19.exe
O16 - DPF: {571B3855-047D-7FC8-C94D-61853547E8E5} - http://66.117.42.151/1/gdnNL19.exe
O16 - DPF: {5DC97101-0FAE-7DE8-D541-603A054C1029} - http://66.117.42.151/1/rdgNL19.exe
O16 - DPF: {7448FBBA-A76F-0765-4E37-466702B29E93} - http://66.117.42.151/1/rdgNL19.exe
O16 - DPF: {79EBF2DF-2636-29D0-C846-54E31D7C2CB9} - http://66.117.42.151/1/gdnNL19.exe

Hoi Fener33,


1. Scan opnieuw met HijackThis, vink de bovenstaande items (zie quote) aan, sluit alle vensters behalve HijackThis zelf en klik op "Fix checked".

2. Herstart de pc in veilige modus.
Mocht je niet weten hoe dat moet, kijk dan hier even: http://www.virushelp.nl/veilige_modus.htm

Zorg ervoor dat verborgen bestanden en mappen worden weergegeven.
Hier kun je lezen hoe dat moet: http://users.telenet.be/marcvn/spyware/1117602.htm

Verwijder nu, in veilige modus dus, de volgende bestanden en mappen (voor zover nog aanwezig):

C:\PROGRAM FILES\METAEQ~1 <- d.w.z. die map waarvan de naam begint met "Metaeq..."
C:\PROGRAM FILES\OKAYBL~1 <- d.w.z. die map waarvan de naam begint met "Okaybl..."
C:\Documents and Settings\All Users\Application Data\Meow Drive Readme Beep <- die map

3. Herstart de pc in 'normale modus'.

4. Maak een nieuw log en plaats dat hier.