must or remove

[painthorse]

Hoop dat ik hierna uit de problemen ben
wacht met verlangen op de gegevens die ik kan
verwijderen.

groetjes Painthorse.

Logfile of HijackThis v1.98.2
Scan saved at 0:08:34, on 12-9-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ntxs.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Winad Client\Winad.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\Program Files\Winad Client\WinClt.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\WINDOWS\System32\int1.exe
C:\WINDOWS\system32\atlcv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Besitzer\Application Data\educ.exe
C:\Documents and Settings\Besitzer\Bureaublad\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zlgqp.dll/sp.html#29836
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zlgqp.dll/sp.html#29836
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zlgqp.dll/sp.html#29836
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zlgqp.dll/sp.html#29836
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zlgqp.dll/sp.html#29836
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zlgqp.dll/sp.html#29836
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zlgqp.dll/sp.html#29836
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Plus18Point/Portal/portal.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {B03FDF75-E182-0CE1-C713-22B612A1EDC1} - C:\WINDOWS\system32\ipdx.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [atlcv.exe] C:\WINDOWS\system32\atlcv.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\int1.exe
O4 - HKLM\..\RunOnce: [ntxs.exe] C:\WINDOWS\ntxs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Omob] C:\Documents and Settings\Besitzer\Application Data\educ.exe
O4 - HKCU\..\Run: [WTST] C:\WINDOWS\System32\wapisvtr.exe
O4 - HKCU\..\Run: [nsdriver] C:\WINDOWS\System32\nssys32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

 

[buffy]

Jeetje. Ik hoop dat ik hier straks geen nachtmerries van krijg.

Naast een heleboel andere ellende heb je de akeligste en moeilijkst te verwijderen CWS-variant die er bestaat te pakken. Probeer die CWS-variant eerst te verwijderen, de rest doen we daarna dan wel.

Ga naar de volgende site: http://users.pandora.be/marcvn/spyware/1972664.htm

Volg de instructies die je daar aantreft onder "HomeSearch - res://<Random .dll" (die "nieuwe fix" dus, bestaande uit 19 stappen). Voer die 19 stappen zorgvuldig uit. Het is wat ingewikkeld, maar als je precies doet wat er staat moet het kunnen lukken.

Bij stap 7 moet je zaken fixen met HijackThis. Fix dan de volgende items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zlgqp.dll/sp.html#29836
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zlgqp.dll/sp.html#29836
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zlgqp.dll/sp.html#29836
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zlgqp.dll/sp.html#29836
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zlgqp.dll/sp.html#29836
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zlgqp.dll/sp.html#29836
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zlgqp.dll/sp.html#29836

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {B03FDF75-E182-0CE1-C713-22B612A1EDC1} - C:\WINDOWS\system32\ipdx.dll

O4 - HKLM\..\Run: [atlcv.exe] C:\WINDOWS\system32\atlcv.exe
O4 - HKLM\..\RunOnce: [ntxs.exe] C:\WINDOWS\ntxs.exe
O4 - HKCU\..\Run: [WTST] C:\WINDOWS\System32\wapisvtr.exe
O4 - HKCU\..\Run: [nsdriver] C:\WINDOWS\System32\nssys32.exe

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

Bij stap 11 moet je bestanden verwijderen. Verwijder dan de volgende bestanden:

C:\WINDOWS\system32\zlgqp.dll
C:\WINDOWS\system32\ipdx.dll
C:\WINDOWS\system32\atlcv.exe
C:\WINDOWS\System32\wapisvtr.exe
C:\WINDOWS\System32\nssys32.exe
C:\WINDOWS\ntxs.exe

Daarnaast moet je het *.exe-bestand verwijderen dat hoort bij de service die je bij stap 1 van de procedure al hebt achterhaald.

Succes!

Heb je de gehele procedure van 19 stappen uitgevoerd, maak dan een nieuw log met HijackThis en plaats dat hier. Want dan moeten we al die andere problemen ook nog oplossen.