hijackthis

[bijma]

Ik heb een scan uitgevoerd met hijackthis. Wie kan mij helpen en laten weten wat mag verwijderd worden?
Alvast bedankt. Groetjes. BIJMA

Logfile of HijackThis v1.96.4
Scan saved at 21:49:21, on 8/09/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
D:\CD_DVD\cd branders\CloneCD4_01\CloneCD\CloneCDTray.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Naslagwerken\Babylon\Babylon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
D:\Tools\winzip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\1043\OLFSNT40.EXE
C:\Program Files\ABIT\Common\Bin\WinCinemaMgr.exe
C:\Corel\ventura8\Programs\MFIndexer.exe
C:\WINDOWS\system32\mapiicon.exe
D:\Grafische toepassingen\photowise\quicklnk.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
D:\Internettools\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = +s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = +s
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = +s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/MS-Connect/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.be/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4d0b2c56-5dbe-4803-8417-96ad560524a2} - C:\DOCUME~1\Eric\APPLIC~1\oulytrmcrs.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem213.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: cheagrrveen - {c4988328-bafa-4b79-b11d-10f99243dc27} - C:\DOCUME~1\Eric\APPLIC~1\oulytrmcrs.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Teen Sex] c:\Program Files\DiallerProgram\007130[1].exe -r
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CloneCDTray] "D:\CD_DVD\cd branders\CloneCD4_01\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "D:\CD_DVD\cd branders\CloneCD4_01\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ADSL_A2] A2Installed
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Ad-aware] D:\Internettools\Ad-aware 6\Ad-aware.exe +c
O4 - HKLM\..\Run: [44739931.exe] C:\WINDOWS\System32\44739931.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Babylon Translator] D:\Naslagwerken\Babylon\Babylon.exe
O4 - Startup: PhotoWise QuickLink.lnk = D:\Grafische toepassingen\photowise\quicklnk.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Tools\winzip\WZQKPICK.EXE
O4 - Global Startup: Poort voor Symantec Fax Starter Edition.lnk = C:\Program Files\Microsoft Office\Office\1043\OLFSNT40.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\ABIT\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\ventura8\Programs\MFIndexer.exe
O4 - Global Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Onderzoekscentrum (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://usa-scripts.downloadv3.com/binaries/DialHTML/EGDHTML_pack_XP.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37655.5019675926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://downloads.spywarelabs.com/DistID/1111030203/VBouncerOuter1111.EXE

 

[crash]

Je kan hem beterhier plaatsen.
Lees het eerste bericht ff goed door voordat je hem plaatst.
Je hebt meer kans op een reactie van de experts.

 

[vaat]

fix deze en sluit alle vensters van IE:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = +s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = +s
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = +s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/MS-Connect/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.be/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {4d0b2c56-5dbe-4803-8417-96ad560524a2} - C:\DOCUME~1\Eric\APPLIC~1\oulytrmcrs.dll (file missing)
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem213.dll
O3 - Toolbar: cheagrrveen - {c4988328-bafa-4b79-b11d-10f99243dc27} - C:\DOCUME~1\Eric\APPLIC~1\oulytrmcrs.dll (file missing)
O4 - HKLM\..\Run: [Teen Sex] c:\Program Files\DiallerProgram\007130[1].exe -r
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Tools\winzip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://usa-scripts.downloadv3.com/b...TML_pack_XP.cab

delete C:\WINDOWS\nem213.dll
delete c:\Program Files\DiallerProgram <= hele map
delete C:/Program%20Files/MS-Connect <= hele map

weet niet wat adsl_A2 doet, maar het start met je computer op. Mag je uitzetten als het overbodig is, dus deze lijn fixen:

O4 - HKLM\..\Run: [ADSL_A2] A2Installed

dit ziet er niet helemaal zuiver uit, maar kan het niet ergens bij plaatsen. Fix deze is en zip anders het bestand en mail het naar vaat@helpmij.nl

O4 - HKLM\..\Run: [44739931.exe] C:\WINDOWS\System32\44739931.exe

 

[Caspar107]

Is dit zuivere koffie?
C:\WINDOWS\System32\wuauclt.exe

http://www.sophos.com/virusinfo/analyses/trojcultb.html

De map MS-Connect in Program Files mag trouwens ook compleet weg.

 

[vaat]

Dan zou ook deze registry key er moeten zijn en die zie ik niet. :
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft auto update = WUAUCLT.EXE

norton kent die trojan als Backdoor.clt: http://www.symantec.com/avcenter/venc/data/backdoor.clt.html

Dus denk het niet, maar je kan natuurlijk altijd even scannen met je norton antivirus. Even updaten.

 

[mumzel]

Deze post had idd beter in de trhread van Pieter kunnen zitten, maar aangezien er nu al op gereageerd is is het moeilijk hem er bij te plaatsen. Voortaan daar graag

 

[Pieter Arntz]

Pieter had best graag een kopietje van 007130[1].exe willen hebben.

Dit is trouwens ook niet goed:
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
http://www.doxdesk.com/parasite/InternetOptimizer.html

Fix die ook en verwijder:
C:\Program Files\Internet Optimizer <= de hele map

Vaat,

Had je hier nog wat aan kunnen ontdekken: 44739931.exe

Groetjes,

Pieter

 

[vaat]

heb nog niks ontvangen, Pieter.

Hopelijk horen we nog wat !!