Nieuwe topic na verzoek pieter

[math678]

Hier komen ze pieter .
Te beginnen met de PV log

Module information for 'EXPLORER.EXE'
MODULE BASE SIZE PATH
IMGUTIL.DLL 70510000 40960 C:\WINDOWS\SYSTEM\IMGUTIL.DLL 6.00.2800.1106 IE plugin image decoder support DLL
DOCPROP2.DLL 7cb10000 331776 C:\WINDOWS\SYSTEM\DOCPROP2.DLL 5.00.2136.1 DocProp2
AVIFIL32.DLL 7e410000 98304 C:\WINDOWS\SYSTEM\AVIFIL32.DLL 4.90.3000 Microsoft AVI-bestandsondersteuningsbibliotheek
MSVFW32.DLL 77ad0000 147456 C:\WINDOWS\SYSTEM\MSVFW32.DLL 4.90.3000 Microsoft Video voor Windows-DLL
WOW32.DLL bfdc0000 20480 C:\WINDOWS\SYSTEM\WOW32.DLL 4.90.3000 Win32 WOW32 core component
DCIMAN32.DLL 7d130000 24576 C:\WINDOWS\SYSTEM\DCIMAN32.DLL 4.90.3000 DCI Manager 1.00
WEBVW.DLL 7f170000 2142208 C:\WINDOWS\SYSTEM\WEBVW.DLL 5.50.4134.100 Shell Inhoud van Webweergave en controlebibliotheek
PSTOREC.DLL 76830000 65536 C:\WINDOWS\SYSTEM\PSTOREC.DLL 5.00.2133.2 Protected Storage COM interfaces
MSACM32.DLL 79df0000 102400 C:\WINDOWS\SYSTEM\MSACM32.DLL 4.90.3000 Microsoft Audiocompressiebeheer
CRTDLL.DLL 7fb10000 180224 C:\WINDOWS\SYSTEM\CRTDLL.DLL 3.50 Microsoft C Runtime Library
MSIMG32.DLL 793a0000 53248 C:\WINDOWS\SYSTEM\MSIMG32.DLL 5.00.2218.1 (Lab06_N(PRAVINSDEV).000328-1149) GDIEXT Client DLL
IMAGING.DLL 7b590000 364544 C:\WINDOWS\SYSTEM\IMAGING.DLL 5.00.2210.1 built by: Lab06_N(minliu) Windows Imaging Library
THUMBVW.DLL 24a0000 212992 C:\WINDOWS\SYSTEM\THUMBVW.DLL 5.50.4807.2300 Extensie van miniatuurweergaven
MYDOCS.DLL 77770000 81920 C:\WINDOWS\SYSTEM\MYDOCS.DLL 5.50.4134.100 De gebruikersinterface van de map Mijn documenten
MSRATING.DLL 70400000 143360 C:\WINDOWS\SYSTEM\MSRATING.DLL 6.00.2800.1106 DLL voor Internet-restricties en lokaal gebruikersbeheer
MSRATELC.DLL 30000000 73728 C:\WINDOWS\SYSTEM\MSRATELC.DLL 6.00.2800.1106 DLL voor Internet-restricties en lokaal gebruikersbeheer
DISPEX.DLL 4c00000 45056 C:\WINDOWS\SYSTEM\DISPEX.DLL 5.6.0.6626 Microsoft (r) DispEx
DXTMSFT.DLL 35cb0000 364544 C:\WINDOWS\SYSTEM\DXTMSFT.DLL 6.00.2800.1106 DirectX Media -- Image DirectX Transforms
DXTRANS.DLL 35c50000 208896 C:\WINDOWS\SYSTEM\DXTRANS.DLL 6.00.2800.1106 DirectX Media -- DirectX Transform Core
DDRAWEX.DLL 65000000 36864 C:\WINDOWS\SYSTEM\DDRAWEX.DLL 4.87.00.0700 Microsoft DirectDrawEx
DDRAW.DLL baaa0000 389120 C:\WINDOWS\SYSTEM\DDRAW.DLL 4.09.00.0900 Microsoft DirectDraw
FLASH.OCX 4430000 1732608 C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX 7,0,19,0 Macromedia Flash Player 7.0 r19
COMDLG32.DLL 7fe00000 212992 C:\WINDOWS\SYSTEM\COMDLG32.DLL 5.50.4134.100 DLL voor gedeelde dialoogvensters
WINMM.DLL bfdd0000 65536 C:\WINDOWS\SYSTEM\WINMM.DLL 4.90.3000 System APIs for Multimedia
RNR20.DLL 76290000 57344 C:\WINDOWS\SYSTEM\RNR20.DLL 4.90.3000 Windows Socket2 NameSpace DLL
MSHTMLED.DLL 70f30000 450560 C:\WINDOWS\SYSTEM\MSHTMLED.DLL 6.00.2800.1106 Microsoft (R)-onderdeel voor HTML-bewerking
JSCRIPT.DLL 6b700000 589824 C:\WINDOWS\SYSTEM\JSCRIPT.DLL 5.6.0.8513 Microsoft (r) JScript
RSAENH.DLL 7ca00000 110592 C:\WINDOWS\SYSTEM\RSAENH.DLL 5.00.2133.2 Microsoft Enhanced Cryptographic Provider (US/Canada Only, Not for Export)
WINTRUST.DLL 73ce0000 176128 C:\WINDOWS\SYSTEM\WINTRUST.DLL 5.131.2133.2 API's voor Microsoft-vertrouwenslijstcontrole
IMAGEHLP.DLL 7b5f0000 143360 C:\WINDOWS\SYSTEM\IMAGEHLP.DLL 5.00.2178.1 Windows NT Image Helper
SCRBLOCK.DLL 37a0000 122880 C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SCRIPT BLOCKING\SCRBLOCK.DLL 1, 1, 0, 126 ScriptBlocking
SCRAUTH.DLL 3570000 110592 C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SCRIPT BLOCKING\SCRAUTH.DLL 1, 1, 0, 126 ScriptBlocking Authenticator
KNCGBE.DLL 3560000 53248 C:\WINDOWS\SYSTEM\KNCGBE.DLL
ACROIEHELPER.DLL 3550000 49152 C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL 6.0.1.2003110300 Adobe Acrobat IE Helper Version 6.0 for ActivieX
MYIEMONITOR.DLL 2ed0000 450560 C:\PROGRAM FILES\OPINIONBAR\MYIEMONITOR.DLL 1.2.3.50
OLEPRO32.DLL 76ed0000 167936 C:\WINDOWS\SYSTEM\OLEPRO32.DLL 5.0.4515
NAVSHEXT.DLL 10000000 114688 C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVSHEXT.DLL 9.05.15 Norton AntiVirusNAVShellExt Module
ATL.DLL 5f3e0000 73728 C:\WINDOWS\SYSTEM\ATL.DLL 3.00.8449 ATL Module for Windows (ANSI)
CCTRUST.DLL 2db0000 106496 C:\WINDOWS\SYSTEM\CCTRUST.DLL 1.08.01 Common Client ccTrust
MSVCP60.DLL 780c0000 397312 C:\WINDOWS\SYSTEM\MSVCP60.DLL 6.00.8168.0 Microsoft (R) C++ Runtime Library
SENSAPI.DLL 60000000 20480 C:\WINDOWS\SYSTEM\SENSAPI.DLL 5.50.4807.2300 SENS Connectivity API DLL
BROWSELC.DLL 718e0000 73728 C:\WINDOWS\SYSTEM\BROWSELC.DLL 6.00.2800.1106 Shell Browser-bibliotheek voor gebruikersinterface
ES.DLL 2710000 118784 C:\WINDOWS\SYSTEM\ES.DLL 1998.09.1003.0 COM+ EventSystem Library
SENS.DLL 60100000 69632 C:\WINDOWS\SYSTEM\SENS.DLL 5.50.4807.2300 System Event Notification Service (SENS)
ESTIER2.DLL 2500000 61440 C:\WINDOWS\SYSTEM\ESTIER2.DLL 1998.09.1003.0 COM+ EventSystem Service Library
ESSHARED.DLL 2510000 69632 C:\WINDOWS\SYSTEM\ESSHARED.DLL 1998.09.1003.0 COM+ EventSystem Shared Utilities
MSI.DLL 20a0000 2015232 C:\WINDOWS\SYSTEM\MSI.DLL 2.0.2600.2 Windows Installer
LINKINFO.DLL 7fa90000 36864 C:\WINDOWS\SYSTEM\LINKINFO.DLL 4.90.3000 Windows Volume Tracking
MSSHRUI.DLL 7f820000 98304 C:\WINDOWS\SYSTEM\MSSHRUI.DLL 4.90.3000 Shell-extensies voor delen
UPNP.DLL 2000000 143360 C:\WINDOWS\SYSTEM\UPNP.DLL 4.90.3002.0 Universal Plug and Play API
SSDPAPI.DLL 2030000 49152 C:\WINDOWS\SYSTEM\SSDPAPI.DLL 4.90.3002.0 SSDP Client API DLL
AUHOOK.DLL 1ed0000 53248 C:\WINDOWS\SYSTEM\AUHOOK.DLL 5.4.5681.0 Microsoft AutoUpdate
UPNPUI.DLL 74d40000 69632 C:\WINDOWS\SYSTEM\UPNPUI.DLL 4.90.3000.1 UPNP-monitor en -map
WEBCHECK.DLL 70340000 270336 C:\WINDOWS\SYSTEM\WEBCHECK.DLL 6.00.2800.1106 Website Monitor
ACTXPRXY.DLL 703d0000 110592 C:\WINDOWS\SYSTEM\ACTXPRXY.DLL 6.00.2800.1106 ActiveX Interface Marshaling Library
IMM32.DLL bfe00000 16384 C:\WINDOWS\SYSTEM\IMM32.DLL 4.90.3000 Win32 IMM32 core component
MSLS31.DLL 48080000 159744 C:\WINDOWS\SYSTEM\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file
SHDOCLC.DLL 2c60000 561152 C:\WINDOWS\SYSTEM\SHDOCLC.DLL 6.00.2800.1106 Objecten- en besturingselementenbibliotheek Shell Doc
WININET.DLL 70200000 614400 C:\WINDOWS\SYSTEM\WININET.DLL 6.00.2800.1106 Internet-extensies voor Win32
CRYPT32.DLL 5cf00000 479232 C:\WINDOWS\SYSTEM\CRYPT32.DLL 5.131.2133.6 Crypto API32
MSASN1.DLL 79b90000 65536 C:\WINDOWS\SYSTEM\MSASN1.DLL 4.4.3420 Microsoft ASN.1 Encoder/Decoder
OLEAUT32.DLL 7fe80000 610304 C:\WINDOWS\SYSTEM\OLEAUT32.DLL 2.40.4515
MSHTML.DLL 63580000 2822144 C:\WINDOWS\SYSTEM\MSHTML.DLL 6.00.2800.1276 Microsoft (R) HTML-viewer
MLANG.DLL 70440000 585728 C:\WINDOWS\SYSTEM\MLANG.DLL 6.00.2800.1106 Multi Language Support DLL
URLMON.DLL 1a400000 499712 C:\WINDOWS\SYSTEM\URLMON.DLL 6.00.2800.1282 OLE32-extensies voor Win32
VERSION.DLL bfe50000 24576 C:\WINDOWS\SYSTEM\VERSION.DLL 4.90.3000 Win32 VERSION core component
BROWSEUI.DLL 71160000 1036288 C:\WINDOWS\SYSTEM\BROWSEUI.DLL 6.00.2800.1106 Shell Browser-bibliotheek voor gebruikersinterface
OLE32.DLL 7ff20000 794624 C:\WINDOWS\SYSTEM\OLE32.DLL 4.71.3328 Microsoft OLE for Windows and Windows NT
SHDOCVW.DLL 71700000 1347584 C:\WINDOWS\SYSTEM\SHDOCVW.DLL 6.00.2800.1276 Objecten- en besturingselementenbibliotheek Shell Doc
COMKLO.DLL 2ae60000 131072 C:\WINDOWS\SYSTEM\COMKLO.DLL
IPHLPAPI.DLL 4c50000 49152 C:\WINDOWS\SYSTEM\IPHLPAPI.DLL 4.90.3001.2 IP Helper API
MSAFD.DLL 79bc0000 40960 C:\WINDOWS\SYSTEM\MSAFD.DLL 4.90.3000 Microsoft Windows Sockets 2.0 Service-aanbieder
DHCPCSVC.DLL 7ce80000 28672 C:\WINDOWS\SYSTEM\DHCPCSVC.DLL
ICMP.DLL 7b860000 24576 C:\WINDOWS\SYSTEM\ICMP.DLL 5.00.1454.1 ICMP DLL
WS2_32.DLL 73200000 69632 C:\WINDOWS\SYSTEM\WS2_32.DLL 4.90.3000 Windows Socket 2.0 32-Bit DLL
RASAPI32.DLL 7f780000 253952 C:\WINDOWS\SYSTEM\RASAPI32.DLL 4.90.3000 DLL-bestand van Inbelnetwerk
WSOCK32.DLL 731c0000 36864 C:\WINDOWS\SYSTEM\WSOCK32.DLL 4.90.3000 BSD Socket API for Windows
MSWSOCK.DLL 77960000 81920 C:\WINDOWS\SYSTEM\MSWSOCK.DLL 4.90.3000 Microsoft WinSock Extension APIs
SECUR32.DLL 7f760000 69632 C:\WINDOWS\SYSTEM\SECUR32.DLL 4.90.3000 Microsoft Win32 Security Services (Export Version)
SVRAPI.DLL 7f850000 32768 C:\WINDOWS\SYSTEM\SVRAPI.DLL 4.90.3000 32-bit common Server API library
MSNET32.DLL 7fa20000 77824 C:\WINDOWS\SYSTEM\MSNET32.DLL 4.90.3000 Microsoft 32-bits Netwerk-API-bibliotheek
MSPWL32.DLL 7fa60000 40960 C:\WINDOWS\SYSTEM\MSPWL32.DLL 4.90.3000 Password list management library
TAPI32.DLL 7f860000 122880 C:\WINDOWS\SYSTEM\TAPI32.DLL 4.90.3000 Microsoft® Windows(TM) Telephony API Client DLL
RPCRT4.DLL 7faa0000 344064 C:\WINDOWS\SYSTEM\RPCRT4.DLL 4.71.3335 Remote Procedure Call DLL
NETAPI32.DLL 7f890000 20480 C:\WINDOWS\SYSTEM\NETAPI32.DLL 4.90.3000 32-bit network API DLL
NETBIOS.DLL 7f730000 32768 C:\WINDOWS\SYSTEM\NETBIOS.DLL
MPR.DLL 7f120000 57344 C:\WINDOWS\SYSTEM\MPR.DLL 4.90.3000 WIN32 Netwerk-interface-DLL
WS2HELP.DLL 731f0000 20480 C:\WINDOWS\SYSTEM\WS2HELP.DLL 4.90.3000 Windows Socket 2.0 Helper for Windows 98
NTDLL.DLL bfe70000 20480 C:\WINDOWS\SYSTEM\NTDLL.DLL 4.90.3000 Win32 NTDLL core component
SHELL32.DLL 7fbc0000 2306048 C:\WINDOWS\SYSTEM\SHELL32.DLL 5.50.4134.100 Gemeenschappelijk DLL-bestand van Windows Shell
EXPLORER.EXE 400000 225280 C:\WINDOWS\EXPLORER.EXE 5.50.4134.100 Windows Verkenner
COMCTL32.DLL bfb70000 557056 C:\WINDOWS\SYSTEM\COMCTL32.DLL 5.81 Common Controls Library
SHLWAPI.DLL 70a70000 413696 C:\WINDOWS\SYSTEM\SHLWAPI.DLL 6.00.2800.1276 Shell lichtgewicht hulpprogrammabibliotheek
MSVCRT.DLL 78000000 286720 C:\WINDOWS\SYSTEM\MSVCRT.DLL 6.10.8637.0 Microsoft (R) C Runtime Library
USER32.DLL bff40000 69632 C:\WINDOWS\SYSTEM\USER32.DLL 4.90.3000 Win32 USER32 core component
GDI32.DLL bff10000 172032 C:\WINDOWS\SYSTEM\GDI32.DLL 4.90.3000 Win32 GDI core component
ADVAPI32.DLL bfe60000 65536 C:\WINDOWS\SYSTEM\ADVAPI32.DLL 4.90.3000 Win32 ADVAPI32 core component
KERNEL32.DLL bff60000 544768 C:\WINDOWS\SYSTEM\KERNEL32.DLL 4.90.3000 Win32 Kernel-kerncomponent


Vervolgens de Hijack log weer !!
Logfile of HijackThis v1.97.7
Scan saved at 23:42:29, on 23-4-2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\MHOTKEY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\KNCGBE.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\KNCGBE.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\KNCGBE.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\KNCGBE.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\KNCGBE.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\KNCGBE.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: OpinionBar IE monitor - {6607C683-AE7C-11D4-ACD7-0050DAC291A2} - C:\PROGRA~1\OPINIO~1\MYIEMO~2.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {1100A228-F975-4E5E-918A-D83A2CD539B8} - C:\WINDOWS\SYSTEM\KNCGBE.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CHotKey] mHotkey.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://start.home.nl/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {5B27C20D-FFB6-4054-BA78-DE4A059BC75A} (Microsoft Office Template Downloader) - http://office.microsoft.com/dutch/TemplateGallery/msotd.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37567.5868287037
O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab


Ik hoor het wel Pieter.
Ps de about_balnk restore zip van jou had ik ook nog gedraaid.

 

[Pieter Arntz]

Die about_blank_restore heb ik al teruggestuurd naar Noorwegen

Hij doet alles goed behalve de dll verwijderen.

dubbelklik op Killbox.exe . In het "Paste Full Path of File to Delete" venster, knip en plak je (niet typen of met de verkenner zoeken, hiervandaan knippen en plakken)

C:\WINDOWS\SYSTEM\KNCGBE.DLL

Klik niet op één van de knoppen maar klik op Action en kies "Delete on Reboot". In het volgende scherm, klik op File en kies "Add File". De filename en het pad dat je geplakt hebt zouden tevoorschijn moeten komen.

Nu moeten we nog een dll opsporen. Ik hoop dat je Engels goed is want ik heb geen zin om dit nu nog te vertalen:

Go to start>Run and type regedit. Press enter.

Navigate to:
Open the registry and navigate here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Highlight Windows in the left pane.

Look in the right pane for this value:
AppInit_Dlls

You won't see any data there.

But if you right click on that and choose Modify Binary Data you will.

If nothing is there it should just show a few 0's.

But if they are hiding a dll they load to resintall, it will show a path to it.


----------------------------
This is now one looks when there is only one file loading.
0000 00 00 3A 00 5C 00 77 00 ..:.\.w.
0008 69 00 6E 00 64 00 6F 00 i.n.d.o.
0010 77 00 73 00 5C 00 73 00 w.s.\.s.
0018 79 00 73 00 74 00 65 00 y.s.t.e.
0020 6D 00 33 00 32 00 5C 00 m.3.2.\.
0028 6D 00 73 00 6B 00 6B 00 m.s.k.k.
0030 67 00 2E 00 64 00 6C 00 g...d.l.
0038 6C 00 00 00 l...

Notice on the far right. You want to look there. It looks funny because all of the periods.

Look closely and you'll see the path and file name here was:
Windows\system32\mskkg.dll

This was the example. Yours will have its own file name. This is not the same file as you are seeing in your HijackThis log. Get its name the same as I just described.

Die dll zet je dan op dezelfde manier in het Add File venster.

Als dat gelukt is klik je op Action en "Process and Reboot". Je krijgt dan een prompt dat je opnieuw moet opstarten.

Als dat gebeurd is draai je de nieuwste versie van CWShredder

Maak dan een nieuw HijackThis log en post het.

Groetjes,

 

[math678]

Pieter, ik heb in de registry HKEY_local_machine software\microsoft\windows NT\current version\ .......
Nu komen er in deze map nog maar 2 anders mappen en die zijn
drivers.desc
drivers32
In beide van deze 2 mappen staat geen Appinit_dlls
(map windows highlights windows in the left pane ???)

 

[math678]

Zelfs met zoeken uit menu boven vind ik in het hele register nwergens Appinit_dlls

 

[Pieter Arntz]

Dom van mij. ME heeft dat niet.

Download dit programma eens:
http://www.diamondcs.com.au/index.php?page=apm

Kijk even of je snapt hoe het werkt.
Plaats dan een nieuw HijackThis log.
Even kijken of de dll nog hetzelfde is en of we hem dan kunnen verwijderen.

Groetjes,

Pieter

 

[joosterbroek]

nog een keertje

Goedendag,

zouden jullie dit eens kunnen bekijken en wat daarvan nutteloos is en of ongewenst.
Dit is van mijn vriendins computer.
ik heb spybot en adware gedraaid na updten van die twee.
ook het opstarten , zijn daar nog onnodige zaken ?

Logfile of HijackThis v1.97.7
Scan saved at 11:47:51, on 24-4-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AdSubtract\adsub.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Joost\Mijn documenten\hijak\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.wanadoo.nl;signup.wanadoo.nl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~2\COPERN~1.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://redirect.tucows.com/lycos/home
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1FB464C8-09BB-4017-A2F5-EB742F04392F} (Microsoft Terminal Services Control (redist)) - http://www.bibliotheekduiven.nl/catalogus/mstscax.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37595.061875
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

en dan hier het opstarten

StartupList report, 24-4-2004, 11:48:26
StartupList version: 1.52
Started from : C:\Documents and Settings\Joost\Mijn documenten\hijak\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AdSubtract\adsub.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\Documents and Settings\Joost\Mijn documenten\hijak\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten]
AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
hp psc 1000 series.lnk = ?
hpoddt01.exe.lnk = ?
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
C-Media Mixer = Mixer.exe /startup
NeroCheck = C:\WINDOWS\System32\NeroCheck.exe
nwiz = nwiz.exe /install
EM_EXEC = C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
CloneCDElbyCDFL = "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
FinePrint Dispatcher v4 = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
Zone Labs Client = C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

FRU Task #Hewlett-Packard#hp psc 1200 series#1081620195.job
Norton AntiVirus - Mijn computer scannen.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Microsoft Terminal Services Control (redist)]
InProcServer32 = C:\WINDOWS\DOWNLO~1\msrdp.ocx
CODEBASE = http://www.bibliotheekduiven.nl/catalogus/mstscax.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37595.061875

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: c:\documents and settings\joost\cookies\joost@bluestreak[2].txt||c:\documents and settings\joost\cookies\joost@gator[1].txt||c:\documents and settings\joost\cookies\joost@revenue[1].txt||c:\documents and settings\joost\cookies\joost@tribalfusion[1].txt


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 6 833 bytes
Report generated in 0.578 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

ik hoop dat je hier wat mee kunt.

groet Joost

 

[Pieter Arntz]

Joost,

Je bent hartstikke verdwaald. Hier moet je zijn:
http://www.helpmij.nl/forum/showthread.php?threadid=157005&goto=lastpost

Groetjes,

Pieter

 

[math678]

Beste Pieter,

Programma gedownload.
Opgeslagen op PC. (melding: succesfully installed)
Wanneer ik het programma start (dubbelklik op pictogram) krijg ik de volgende foutmelding:
APM heeft een fout veroorzaakt in <onbekend>.
APM wordt gesloten.
Als er zich problemen blijven voordoen, start computer opnieuw op.
Wederom geprobeerd: zelfde melding.
Na reboot PC Identieke situatie.
Nog meer tips. ??

 

[Pieter Arntz]

Een klein sprankje hoop. (op de meeste XP computers werkt het)

Update CWShredder naar versie 1.57.0 en gebruik de Fix knop.

Daarna scan je met AdAware. Plaats nog even een HijackThis log.

Groetjes,

Pieter

 

[math678]

Beste pieter, ik denk een schot in de roos.
CWSchredder gedraaid.
volgend resultaat: CWS searchx removed
Zie log:
Done!
Removed from your system:
- CWS.Searchx
- 7 infected IE registry values

Windows ME (4.90.3000 )
CWShredder v1.57.0
Written by Merijn - merijn@spywareinfo.com

For any additional help with this program or removing CWS, visit:
http://forums.spywareinfo.com/

For information and documentation on the Coolwebsearch
trojan and its variants, visit:
http://www.spywareinfo.com/~merijn/cwschronicles.html

For donations to help support CWShredder, visit:
http://www.spywareinfo.com/~merijn/donate.html


VERVOLGENS:
in plaats van met spybot nu dus ad-aware gedownload en van het resultaat schrok ik.
Zo feliciteert spybot me steeds met geen spyware (volledig up to date spybot s&D).
Zie resultaat Ad-aware. (log bijgesloten)

Ik hoor het wel.

 

[math678]

Pieter, ik stond na het draaien van ad-aware voor de keuze of ik al deze 54 items moest deleten.
Ik wist niet of ik dat zonder meer kon doen.
Dat heb ik dus nog niet gedaan.
Derhalve nog geen hijacklog geplaatst.

Ik wacht op je reactie.

 

[Pieter Arntz]

Hoi math678,

Kijk maar even naar het aantal updates dat AdAware de laatste maanden gehad heeft en vergelijk met het aantal van Spybot S&D.

Als je na de scan de Quarantaine knop gebruikt wordt er een backup gemaakt.

Ik neem aan dat je tussendoor opnieuw opgestart bent, dus dan moet je van voren af opnieuw beginnen.

Groetjes,

Pieter

 

[math678]

Pieter,
het volgende heb ik gedaan in genoemde volgorde:
1) cwschredder gedraaid: geeft aan systeem clean nu
2) adaware gedraaid: 54 meldingen...in quarantine gezet.
3) Killbox gedraaid: en de geknipte regel (knippen / plakken) laten deleten. Dus niet via verkenner bestand geselecteerd. (c:windows/system kncgbe.dll)
4) vervolgens weer adaware gedraaid: vindt nu 1 item...in quarantine gezet
5) vervolgens weer adaware gedraaid: vindt HETZELDE ITEM WEER !!!!!!
Vendor: coolwebsearch
Type: regvalue
Category:Malware
Comment:homeoldsp
6) Hijacklog gedraaid en de bekende steeds door jou aangegeven regels aangevinkt en laten verwijderen
6) In configuratiescherm startpagina weer op www.startpagina.nl gezet.
7) Reboot machine

BIJLAGE: adawarelog van het ene item wat steeds terug blijft komen
Lavasoft Ad-aware Personal Build 6.181
Logfile created on :zondag 25 april 2004 20:10:45
Created with Ad-aware Personal, free for private use.
Using reference-file :1R200 12.07.2003
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry


25-4-2004 20:10:45 - Scan started. (Smart mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [kernel32.dll]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4279195167
Threads : 8
Priority : High
FileSize : 532 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1991-2000
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel-kerncomponent
InternalName : KERNEL32
OriginalFilename : KERNEL32.DLL
ProductName : Besturingssysteem Microsoft(R) Windows(R) Millennium
Created on : 1-1-1601
Last accessed : 24-4-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:2 [msgsrv32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294935431
Threads : 1
Priority : Normal
FileSize : 11 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1992-1998
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bits VxD-berichtserver
InternalName : MSGSRV32
OriginalFilename : MSGSRV32.EXE
ProductName : Besturingssysteem Microsoft(R) Windows(R) Millennium
Created on : 1-1-1601
Last accessed : 24-4-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:3 [mprexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294848115
Threads : 2
Priority : Normal
FileSize : 28 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1993-2000
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
OriginalFilename : MPREXE.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1-1-1601
Last accessed : 24-4-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:4 [mstask.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294860699
Threads : 4
Priority : Normal
FileSize : 124 KB
FileVersion : 4.71.2721.1
ProductVersion : 4.71.2721.1
Copyright : Copyright (C) Microsoft Corp. 2000
CompanyName : Microsoft Corporation
FileDescription : Taakplanner Engine
InternalName : Taakplanner
OriginalFilename : mstask.exe
ProductName : Microsoft
Created on : 1-1-1601
Last accessed : 24-4-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:5 [ssdpsrv.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294869747
Threads : 4
Priority : Normal
FileSize : 55 KB
FileVersion : 4.90.3002.0
ProductVersion : 4.90.3002.0
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : SSDP Service on Windows Millennium
InternalName : ssdpsrv.exe
OriginalFilename : ssdpsrv.exe
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 19-2-2002 21:30:43
Last accessed : 24-4-2004 22:00:00
Last modified : 28-9-2001 15:53:22

#:6 [ccevtmgr.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\
ProcessID : 4294889359
Threads : 19
Priority : Normal
FileSize : 313 KB
FileVersion : 1.03.4
ProductVersion : 1.03.4
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
OriginalFilename : ccEvtMgr.exe
ProductName : Event Manager
Created on : 28-11-2002 7:44:02
Last accessed : 24-4-2004 22:00:00
Last modified : 28-11-2002 7:44:02

#:7 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294774247
Threads : 1
Priority : Normal
FileSize : 1 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
OriginalFilename : mmtask.tsk
ProductName : Microsoft Windows
Created on : 1-1-1601
Last accessed : 24-4-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:8 [stmgr.exe]
FilePath : C:\WINDOWS\SYSTEM\RESTORE\
ProcessID : 4294789879
Threads : 6
Priority : Normal
FileSize : 60 KB
FileVersion : 4.90.0.2533
ProductVersion : 4.90.0.2533
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Microsoft (R) PC State Manager
InternalName : StateMgr.exe
OriginalFilename : StateMgr.exe
ProductName : Microsoft (r) PCHealth
Created on : 1-1-1601
Last accessed : 24-4-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:9 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294834255
Threads : 33
Priority : Normal
FileSize : 220 KB
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Windows Verkenner
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Besturingssysteem Microsoft(R) Windows (R) 2000
Created on : 8-6-2000 15:00:00
Last accessed : 24-4-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:10 [taskmon.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294651239
Threads : 2
Priority : Normal
FileSize : 28 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1998
CompanyName : Microsoft Corporation
FileDescription : Task Monitor
InternalName : TaskMon
OriginalFilename : TASKMON.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1-1-1601
Last accessed : 24-4-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:11 [systray.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294687139
Threads : 3
Priority : Normal
FileSize : 36 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1993-2000
CompanyName : Microsoft Corporation
FileDescription : Systeemwerkblad-applet
InternalName : SYSTRAY
OriginalFilename : SYSTRAY.EXE
ProductName : Besturingssysteem Microsoft(R) Windows(R) Millennium
Created on : 1-1-1601
Last accessed : 24-4-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:12 [starter.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294691511
Threads : 2
Priority : Normal
FileSize : 32 KB
FileVersion : 5.00.05
ProductVersion : 5.00.05
Copyright : Copyright
CompanyName : Creative Technology, Ltd.
FileDescription : This program launches the mixer application.
InternalName : starter
OriginalFilename : starter.exe
ProductName : starter
Created on : 20-2-2001 11:54:42
Last accessed : 24-4-2004 22:00:00
Last modified : 10-8-2000 9:58:46

#:13 [mhotkey.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294665815
Threads : 2
Priority : Normal
FileSize : 438 KB
FileVersion : 2, 0, 0, 8
ProductVersion : 2, 0, 0, 8
Copyright : Copyright (c) 2000 Chicony
CompanyName : Chicony
FileDescription : Chicony Multimedia Driver
InternalName : Multimedia Hotkey Driver
OriginalFilename : mHotkey.res
ProductName : Chicony Multimedia Driver
Created on : 20-2-2001 17:49:14
Last accessed : 24-4-2004 22:00:00
Last modified : 4-7-2000 14:38:04

#:14 [loadqm.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294638635
Threads : 4
Priority : Normal
FileSize : 7 KB
FileVersion : 5.4.1103.3
ProductVersion : 5.4.1103.3
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Microsoft QMgr
InternalName : LOADQM.EXE
OriginalFilename : LOADQM.EXE
ProductName : QMgr Loader
Created on : 4-11-2002 21:24:01
Last accessed : 24-4-2004 22:00:00
Last modified : 3-5-2000 15:23:10

#:15 [hpztsb05.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294628211
Threads : 2
Priority : Normal
FileSize : 184 KB
FileVersion : 2,121,0,0
ProductVersion : 2,121,0,0
Copyright : Copyright (c) Hewlett-Packard Company 1999-2002
CompanyName : HP
ProductName : HP DeskJet
Created on : 26-3-2003 17:41:10
Last accessed : 24-4-2004 22:00:00
Last modified : 6-6-2002 19:31:34

#:16 [ccapp.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\
ProcessID : 4294704283
Threads : 18
Priority : Normal
FileSize : 56 KB
FileVersion : 1.08.01
ProductVersion : 1.08.01
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client CC App
InternalName : ccApp
OriginalFilename : ccApp.exe
ProductName : Common Client
Created on : 13-8-2003 9:52:46
Last accessed : 24-4-2004 22:00:00
Last modified : 15-7-2003 12:56:58

#:17 [realsched.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\
ProcessID : 4294511419
Threads : 3
Priority : Normal
FileSize : 176 KB
FileVersion : 0.1.0.3018
ProductVersion : 0.1.0.3018
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
OriginalFilename : realsched.exe
ProductName : RealPlayer (32-bit)
Created on : 20-4-2004 21:40:44
Last accessed : 24-4-2004 22:00:00
Last modified : 20-4-2004 21:40:46

#:18 [spool32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294600851
Threads : 3
Priority : Normal
FileSize : 44 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1994 - 1998
CompanyName : Microsoft Corporation
FileDescription : Spooler Sub System Process
InternalName : spool32
OriginalFilename : spool32.exe
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1-1-1601
Last accessed : 24-4-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:19 [msnmsgr.exe]
FilePath : C:\PROGRAM FILES\MSN MESSENGER\
ProcessID : 4294556203
Threads : 10
Priority : Normal
FileSize : 4572 KB
FileVersion : 6.1.0211
ProductVersion : Version 6.1
Copyright : Copyright (c) Microsoft Corporation 1997-2003
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msnmsgr
OriginalFilename : msnmsgr.exe
ProductName : Messenger
Created on : 4-3-2004 21:01:00
Last accessed : 24-4-2004 22:00:00
Last modified : 4-3-2004 21:01:00

#:20 [wmiexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294534171
Threads : 4
Priority : Normal
FileSize : 16 KB
FileVersion : 4.90.2452.1
ProductVersion : 4.90.2452.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
OriginalFilename : wmiexe.exe
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1-1-1601
Last accessed : 24-4-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:21 [iexplore.exe]
FilePath : C:\PROGRAM FILES\INTERNET EXPLORER\
ProcessID : 4294475671
Threads : 1
Priority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Besturingssysteem Microsoft
Created on : 4-9-2002 7:10:22
Last accessed : 24-4-2004 22:00:00
Last modified : 4-9-2002 7:10:22

#:22 [ddhelp.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294283951
Threads : 8
Priority : Realtime
FileSize : 32 KB
FileVersion : 4.09.00.0900
ProductVersion : 4.09.00.0900
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : DDHelp.exe
OriginalFilename : DDHelp.exe
ProductName : Microsoft
Created on : 13-8-2003 20:42:53
Last accessed : 24-4-2004 22:00:00
Last modified : 11-12-2002 22:14:32

#:23 [msimn.exe]
FilePath : C:\PROGRAM FILES\OUTLOOK EXPRESS\
ProcessID : 4294477747
Threads : 9
Priority : Normal
FileSize : 55 KB
FileVersion : 6.00.2800.1123
ProductVersion : 6.00.2800.1123
CompanyName : Microsoft Corporation
FileDescription : Outlook Express
InternalName : MSIMN
OriginalFilename : MSIMN.EXE
ProductName : Besturingssysteem Microsoft
Created on : 23-10-2002 14:55:18
Last accessed : 24-4-2004 22:00:00
Last modified : 23-10-2002 14:55:18

#:24 [pstores.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294507483
Threads : 5
Priority : Normal
FileSize : 82 KB
FileVersion : 5.00.2133.2
ProductVersion : 5.00.2133.2
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Protected storage server
InternalName : Protected storage server
OriginalFilename : Protected storage server
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 1-1-1601
Last accessed : 24-4-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:25 [ad-aware.exe]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\
ProcessID : 4294233455
Threads : 3
Priority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 24-4-2004 22:06:13
Last accessed : 24-4-2004 22:00:00
Last modified : 12-7-2003 20:00:20

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

CoolWebSearch Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Internet Explorer\Main
Value : HOMEOldSP


Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 1


Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 1


¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Deep scanning and examining files (C
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 1


20:13:46 Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:02:59:820
Objects scanned :27229
Objects identified :1
Objects ignored :0
New objects :1



Pieter ik hoor het wel weer

 

[math678]

Na de reboot:
c;windows system kncgbe.dll bestaat niet meer
startpagina komt weer steeds goed op.

WAt moet ik nog doen met die ene melding uit de adaware log ????
Had ik nu last van een virus of wat was er nu aan de hand met mijn PC Pieter ????

 

[Pieter Arntz]

Hoi math 678,

Kan AdAware die repareren of niet?

Als het goed is ziet die er in HijackThis zo uit:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank

en zolang about: blank echt blanco is zou ik me daar niet teveel zorgen over maken.

Groetjes,

Pieter

 

[math678]

Ik heb geen r1 meer maar een r0 waarin achterin staat dat mijn startpagina weer www.startpagina.nl is.
Pieter hartstikke bedankt.
Bij mij draait voortaan Adaware ipv Spybot dat weet ik zeker.
Nogmaals bedankt

 

[Pieter Arntz]

Graag gedaan.

Ik hoop dat het wegblijft.

Groetjes,

Pieter