HijackThis

kevnone · 17 okt 2004

wilt u voor mij controleren wat fout is
want ik heb last van een searchpotal
alfst bedankt

Logfile of HijackThis v1.98.0
Scan saved at 12:58:30, on 17-10-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\inetdata\services.exe
C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
C:\Program Files\Win Comm\WinComm.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Win Comm\WinLock.exe
C:\Program Files\COMPANY_NAME\PRODUCT_NAME\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\G.v.K\Mijn documenten\setup\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=2033 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bigbr.cc?u=2033 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=2033 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bigbr.cc?u=2033 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=2033 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchportal.info/10039/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=2033 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc?u=2033 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lfnmcjw.biz?u=2033 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bigbr.cc?u=2033 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=2033 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=2033 (obfuscated)
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll
O2 - BHO: (no name) - {C32AE748-C08D-40E6-A43E-E7C9EDE1EE74} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\IncrediMail\bin\resources\WebMenuImg.htm
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.13/10043/online.chm::/on-line.exe
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...3c9f8fc88041:13f5dbdd0db4740d5e4c040db7735484
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O21 - SSODL: SystemCheck - {54645654-2225-4455-44A1-9F4543D34544} - C:\WINDOWS\System32\vbsys.dll

buffy · 17 okt 2004

Geplaatst door kevnone

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=2033 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bigbr.cc?u=2033 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=2033 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bigbr.cc?u=2033 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=2033 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchportal.info/10039/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=2033 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc?u=2033 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lfnmcjw.biz?u=2033 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bigbr.cc?u=2033 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=2033 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=2033 (obfuscated)

O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll
O2 - BHO: (no name) - {C32AE748-C08D-40E6-A43E-E7C9EDE1EE74} - (no file)

O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.13/10043/online.chm::/on-line.exe
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...3c9f8fc88041:13f5dbdd0db4740d5e4c040db7735484

O21 - SSODL: SystemCheck - {54645654-2225-4455-44A1-9F4543D34544} - C:\WINDOWS\System32\vbsys.dll

1. Download CWShredder alvast, maar gebruik het nog niet: http://downloads.subratam.org/CWShredder.exe

2. Scan met HijackThis, vink de bovenstaande items (zie quote) aan, sluit alle vensters behalve HijackThis zelf en klik op "Fix checked".

3. Draai nú CWShredder. Gebruik de Fix knop.

4. Herstart de pc in veilige modus.
Mocht je niet weten hoe dat moet, kijk dan hier even: http://www.virushelp.nl/veilige_modus.htm

Zorg ervoor dat verborgen bestanden en mappen worden weergegeven.
Hier kun je lezen hoe dat moet: http://users.telenet.be/marcvn/spyware/1117602.htm

Verwijder:
C:\WINDOWS\System32\vbsys.dll <- dat bestand
C:\WINDOWS\inetdata <- die map
C:\Program Files\Win Comm <- die map

5. Herstart de pc in 'normale modus'.

6. Scan online op virussen en trojans bij Housecall:
http://housecall.trendmicro.com/
Start na de scan de pc opnieuw op.

7. Doe een volledige scan met AdAware SE 1.05: http://www.majorgeeks.com/download506.html
Laat alles verwijderen wat wordt gevonden.
Start daarna de pc opnieuw op.

8. Maak een nieuw log en plaats dat hier.

kevnone · 26 okt 2004

log

hier is mijn nieuwe log
als er nog iets mis mee is ,hoor ik dat graag
alvast bedankt

Logfile of HijackThis v1.98.0
Scan saved at 23:40:35, on 24-10-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\services.exe
C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\COMPANY_NAME\PRODUCT_NAME\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\IncrediMail\bin\IMApp.exe
C:\Program Files\Windows SyncroAd\SyncroAd.exe
C:\Program Files\Windows SyncroAd\WinSync.exe
C:\PROGRA~1\INTERN~1\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\G.v.K\Mijn documenten\setup\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\IncrediMail\bin\IncMail.exe /c
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\IncrediMail\bin\resources\WebMenuImg.htm
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

buffy · 26 okt 2004

Je hebt stap 6 uit mijn antwoord niet uitgevoerd, want dat zou ik in je log kunnen zien.
Of je stap 7 wel hebt uitgevoerd betwijfel ik ook ten zeerste.

Ondertussen heb je trouwens doodleuk verse spyware binnengehaald...

kevnone · 26 okt 2004

Nieuwe Log

Ik heb nu stap 6 en 7 geprobeerd ik hoop dat het gelukt is

Logfile of HijackThis v1.98.0
Scan saved at 12:08:48, on 26-10-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\IncrediMail\bin\IMApp.exe
C:\Program Files\COMPANY_NAME\PRODUCT_NAME\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\G.v.K\Mijn documenten\setup\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\IncrediMail\bin\IncMail.exe /c
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\IncrediMail\bin\resources\WebMenuImg.htm
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

Is voor mij de eerste keer ik hoop dat het nu gelukt is.
alvast bedankt

buffy · 27 okt 2004

1. Scan met HijackThis en vink het volgende item aan:

C:\Program Files\Windows SyncroAd\SyncroAd.exe

Sluit alle vensters behalve HijackThis zelf en klik op "Fix checked".

2. Herstart de pc in veilige modus en verwijder, indien nog aanwezig:

C:\Program Files\Windows SyncroAd <- die map

3. Herstart de pc in 'normale modus'.

4. Installeer een antivirusprogramma en een firewall.

5. Lees dit en doe er je voordeel mee: http://www.helpmij.nl/forum/showthread.php?threadid=184512

HijackThis

kevnone

Nieuwe gebruiker

buffy

Meubilair

kevnone

Nieuwe gebruiker

buffy

Meubilair

kevnone

Nieuwe gebruiker

buffy

Meubilair

Nieuwste berichten

Wij waarderen jouw privacy