richfind

[don_nl]

Ik heb ook last van een steeds terugkerende starpagina die maar niet weg wil blijven. Ik heb adaware se gedownload en geupdate en hijach laten scannen, mijn log is als volgt. Als iemand er zijn deskundige mening over wil geven graag!

alvast bedankt!

log:

Logfile of HijackThis v1.98.2
Scan saved at 5:05:37, on 25-9-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\norton\norton2004\Norton AntiVirus\navapsvc.exe
F:\norton\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
F:\norton\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
F:\norton\norton2004\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
F:\Nero\Incd\InCD.exe
F:\quicktime\qttask.exe
F:\msgplus2.0\MsgPlus.exe
G:\Thrustmapper\TMTMTSR.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\hp1200\Digital Imaging\bin\hpohmr08.exe
C:\WINDOWS\System32\rundll32.exe
G:\hp1200\Digital Imaging\bin\hpotdd01.exe
G:\foto\custom\CalCheck.exe
C:\Program Files\DV Series\Console\Watch.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
G:\hp1200\Digital Imaging\bin\hpoevm08.exe
G:\hp1200\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
G:\adaware se\Ad-Aware SE Personal\Ad-Aware.exe
F:\Winrar\WinRAR.exe
C:\DOCUME~1\D-van\LOCALS~1\Temp\Rar$EX00.647\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://bad-url.com/start.php?
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://bad-url.com/start.php?
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.richfind.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.richfind.com/home/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.nl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.linksummary.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.richfind.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.richfind.com/home/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.richfind.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://awebfind.biz/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.richfind.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Tiscali
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
R3 - URLSearchHook: Richfind - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\Q973860.dll
O1 - Hosts: 213.222.11.11 auto.search.msn.com
O2 - BHO: Richfind - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\Q973860.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - f:\Acrobat\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {23cc8cde-b390-4b96-8065-37f2fcc4598c} - (no file)
O2 - BHO: Richfind - {34E1751C-D75A-4599-9D39-15E682D83590} - C:\WINDOWS\System32\Q973860.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\norton\norton2004\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {29e1053b-64c3-44d9-98b6-5b602d498372} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\norton\norton2004\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O3 - Toolbar: win32 - {C94158E1-6151-4442-ABE6-FD53D6534EFB} - C:\WINDOWS\Downloaded Program Files\tbuF\win32.dll
O3 - Toolbar: RichFind - {E5A2678F-DA83-4D2E-BA85-6236E90098FA} - C:\WINDOWS\richfind.dll
O3 - Toolbar: Richfind - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\Q973860.dll
O3 - Toolbar: Richfind - {218A2833-30BE-4634-A104-709E98BD2A8F} - C:\WINDOWS\System32\Q973860.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] F:\SBlive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] F:\Nero\Incd\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus2] "F:\msgplus2.0\MsgPlus.exe"
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - HKLM\..\Run: [ThrustTSR] G:\Thrustmapper\TMTMTSR.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] F:\norton\norton2004\UrlLstCk.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MessengerPlus2] "F:\msgplus2.0\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Spyware Begone] G:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = F:\Officexp\Office10\OSA.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Ulead Photo Express Calendar Checker For My Custom Edition.lnk = G:\foto\custom\CalCheck.exe
O4 - Global Startup: Watch.lnk = C:\Program Files\DV Series\Console\Watch.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
O8 - Extra context menu item: Download with Go!Zilla - file://F:\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://F:\Officexp\Office10\EXCEL.EXE/3000
O9 - Extra button: Richfind - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\Q973860.dll
O9 - Extra button: Richfind - {218A2833-30BE-4634-A104-709E98BD2A8F} - C:\WINDOWS\System32\Q973860.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\Yahoo\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\Yahoo\Messenger\yhexbmes0411.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://bad-url.com/start.php?
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.nl
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://63.219.181.7/cax.cab
O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://c:\nosuch.mht!http://www.awmdabest.com/bltd/114.chm::/file.exe
O16 - DPF: {11111111-1111-1111-1111-114588010476} - mhtml:file://C:NO_SUCH_MHT.MHT!http://www.easywww.info/safe/payloadexe.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {BB0578ED-E672-4697-9663-EC5A0460B949} (SomaticCAB.Setup) - http://downloads.searchcentrix.com/install/weblz.CAB
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {C94158E1-6151-4442-ABE6-FD53D6534EFB} (win32) - http://searchfind.info/bar/win32.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
O16 - DPF: {E5A2678F-DA83-4D2E-BA85-6236E90098FA} (RichFind) - http://searchfind.info/bar/richfind.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = p29311.find-quick.com
O17 - HKLM\Software\..\Telephony: DomainName = p29311.find-quick.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C9CA068-C2BE-44F1-AEEA-F79F772A125A}: Domain = p29311.find-quick.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C9CA068-C2BE-44F1-AEEA-F79F772A125A}: NameServer = 195.241.48.33,195.241.49.33
O17 - HKLM\System\CCS\Services\Tcpip\..\{6CFF83C4-95D6-4E0F-9ECF-4BA1A89CE6DB}: Domain = p29311.find-quick.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C52A970-D305-4A9E-B629-8A810A996927}: Domain = p29311.find-quick.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = p29311.find-quick.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = p29311.find-quick.com
O18 - Filter: text/html - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\Q973860.dll
O18 - Filter: text/plain - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\Q973860.dll

 

[buffy]

Geplaatst door don_nl

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://bad-url.com/start.php?
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://bad-url.com/start.php?
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.richfind.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.richfind.com/home/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.linksummary.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.richfind.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.richfind.com/home/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.richfind.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://awebfind.biz/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.richfind.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure32.html

R3 - URLSearchHook: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
R3 - URLSearchHook: Richfind - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\Q973860.dll

O1 - Hosts: 213.222.11.11 auto.search.msn.com

O2 - BHO: Richfind - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\Q973860.dll

O2 - BHO: (no name) - {23cc8cde-b390-4b96-8065-37f2fcc4598c} - (no file)
O2 - BHO: Richfind - {34E1751C-D75A-4599-9D39-15E682D83590} - C:\WINDOWS\System32\Q973860.dll
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - (no file)

O3 - Toolbar: (no name) - {29e1053b-64c3-44d9-98b6-5b602d498372} - (no file)
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O3 - Toolbar: win32 - {C94158E1-6151-4442-ABE6-FD53D6534EFB} - C:\WINDOWS\Downloaded Program Files\tbuF\win32.dll
O3 - Toolbar: RichFind - {E5A2678F-DA83-4D2E-BA85-6236E90098FA} - C:\WINDOWS\richfind.dll
O3 - Toolbar: Richfind - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\Q973860.dll
O3 - Toolbar: Richfind - {218A2833-30BE-4634-A104-709E98BD2A8F} - C:\WINDOWS\System32\Q973860.dll

O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Spyware Begone] G:\freescan\freescan.exe -FastScan

O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

O9 - Extra button: Richfind - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\Q973860.dll
O9 - Extra button: Richfind - {218A2833-30BE-4634-A104-709E98BD2A8F} - C:\WINDOWS\System32\Q973860.dll

O13 - DefaultPrefix: http://bad-url.com/start.php?

O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://63.219.181.7/cax.cab
O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://c:\nosuch.mht!http://www.awmdabest.com/bltd/114.chm::/file.exe
O16 - DPF: {11111111-1111-1111-1111-114588010476} - mhtml:file://C:NO_SUCH_MHT.MHT!http://www.easywww.info/safe/payloadexe.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {BB0578ED-E672-4697-9663-EC5A0460B949} (SomaticCAB.Setup) - http://downloads.searchcentrix.com/install/weblz.CAB
O16 - DPF: {C94158E1-6151-4442-ABE6-FD53D6534EFB} (win32) - http://searchfind.info/bar/win32.cab
O16 - DPF: {E5A2678F-DA83-4D2E-BA85-6236E90098FA} (RichFind) - http://searchfind.info/bar/richfind.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = p29311.find-quick.com
O17 - HKLM\Software\..\Telephony: DomainName = p29311.find-quick.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C9CA068-C2BE-44F1-AEEA-F79F772A125A}: Domain = p29311.find-quick.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{6CFF83C4-95D6-4E0F-9ECF-4BA1A89CE6DB}: Domain = p29311.find-quick.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C52A970-D305-4A9E-B629-8A810A996927}: Domain = p29311.find-quick.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = p29311.find-quick.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = p29311.find-quick.com

O18 - Filter: text/html - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\Q973860.dll
O18 - Filter: text/plain - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\Q973860.dll

Jeetje

Ga er even rustig voor zitten en voer het onderstaande zorgvuldig uit.

Maak eerst even een eigen, permanente map voor HijackThis, bijvoorbeeld C:\Program Files\HJT. Plaats HijackThis.exe in die map en draai het in het vervolg dus vanuit die map.


1. Download CWShredder alvast, maar gebruik het nog niet: http://downloads.subratam.org/CWShredder.exe

2. Scan met HijackThis. Vink de bovenstaande items (zie quote) aan. Goed opletten, vink precies díe items (en geen andere items) aan. Sluit alle vensters behalve HijackThis zelf. Klik op "Fix checked". (Nu metéén doorgaan met stap 3, dus niet de pc opnieuw opstarten.)

3. Draai nu CWShredder. Gebruik de Fix knop.

4. Herstart de pc in veilige modus.
Mocht je niet weten hoe dat moet, kijk dan hier even: http://www.virushelp.nl/veilige_modus.htm

Zorg ervoor dat verborgen bestanden en mappen worden weergegeven.
Hier kun je lezen hoe dat moet: http://users.telenet.be/marcvn/spyware/1117602.htm

Verwijder nu, in veilige modus dus, de volgende bestanden en mappen (voor zover nog aanwezig):

C:\WINDOWS\secure32.html <- dat bestand
C:\WINDOWS\System32\Q973860.dll <- dat bestand
C:\Program Files\Window Active <- die map
C:\Program Files\MyWebSearch <- die map
C:\WINDOWS\Downloaded Program Files\tbuF <- die map
G:\freescan <- die map

5. Herstart de pc in 'normale modus'. Doe meteen nog een volledige scan met AdAware SE. Laat AdAware alles verwijderen wat wordt gevonden.
Start daarna de pc opnieuw op.

6. Maak een nieuw log met HijackThis en plaats dat hier.

 

[don_nl]

dank je wel voor je hulp.

Ik heb alles zo nauwkeurig mogelijk gedaan.
Uiteindelijk deze log gekregen
(ps. elke keer als ik pc aanzet moet mijn msn opnieuwe installeren, deed hij ook al een tijd... is dat ook op te lossen?)
alvast bedankt..

don

Logfile of HijackThis v1.98.2
Scan saved at 16:42:19, on 26-9-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\norton\norton2004\Norton AntiVirus\navapsvc.exe
F:\norton\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
F:\norton\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
F:\norton\norton2004\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
F:\Nero\Incd\InCD.exe
F:\quicktime\qttask.exe
F:\msgplus2.0\MsgPlus.exe
G:\Thrustmapper\TMTMTSR.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\rundll32.exe
G:\hp1200\Digital Imaging\bin\hpohmr08.exe
C:\WINDOWS\System32\msiexec.exe
G:\hp1200\Digital Imaging\bin\hpotdd01.exe
G:\foto\custom\CalCheck.exe
C:\Program Files\DV Series\Console\Watch.exe
C:\Program Files\Messenger\msmsgs.exe
G:\hp1200\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
G:\hp1200\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hijack\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.nl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Tiscali
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - f:\Acrobat\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\norton\norton2004\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\norton\norton2004\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] F:\SBlive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] F:\Nero\Incd\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus2] "F:\msgplus2.0\MsgPlus.exe"
O4 - HKLM\..\Run: [ThrustTSR] G:\Thrustmapper\TMTMTSR.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] F:\norton\norton2004\UrlLstCk.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MessengerPlus2] "F:\msgplus2.0\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = F:\Officexp\Office10\OSA.EXE
O4 - Global Startup: Ulead Photo Express Calendar Checker For My Custom Edition.lnk = G:\foto\custom\CalCheck.exe
O4 - Global Startup: Watch.lnk = C:\Program Files\DV Series\Console\Watch.exe
O8 - Extra context menu item: Download with Go!Zilla - file://F:\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://F:\Officexp\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\Yahoo\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\Yahoo\Messenger\yhexbmes0411.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.nl
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C9CA068-C2BE-44F1-AEEA-F79F772A125A}: NameServer = 195.241.48.33,195.241.49.33

 

[buffy]

Goed gedaan, dit log is helemaal schoon.:thumb:

Gezien de grote hoeveelheid spyware die je had verzameld, raad ik je aan SpywareBlaster even te installeren. Dat kleine programma brengt zogenaamde "kill bits" aan het register, zodat veel spyware niet meer kán binnenkomen.

Download het hier: http://www.javacoolsoftware.com/spywareblaster.html
Haal de nieuwste updates binnen door op "Download Latest Protection Updates" te klikken.
Klik vervolgens, en dit is belangrijk, op "Enable All Protection".
Je kunt het programma dan afsluiten, het hoeft niet eens te draaien om zijn werk te doen! Open het alleen af en toe om te kijken of er updates zijn.


Dat probleem met Messenger ken ik niet. Je zou daar even een vraag over kunnen stellen in de sectie over messengers.

 

[don_nl]

Ok,

hardstikke bedankt iedergeval, ik heb geen idee hoe je wijs word uit al die codes om te zien of hij schoon is, maar ik geloof het meteen. Alleen vraag ik me af hoe ik eventueel kan herkennen als er weer iets in mijn computer nestelt. Ik heb spywareblaster ook geinstalleerd en daar hoef ik dus niets meer aan te doen? gewoon af en toe openen dus... En als hij iets vindt, gaat het vanzelf dus goed?

Ik ga nog verder zoeken over het messenger probleem.

iedergeval bedankt!

don:thumb:

 

[buffy]

Met SpywareBlaster hoef je verder niets te doen, alleen af en toe (zo één keer per week) openen om te checken of er updates zijn. Dit programma zoekt nergens naar en zal dus ook nooit iets vinden, het is geen spywarescanner. Het zorgt er alleen voor dat allerlei spyware die al bekend is niet meer op je pc kan terechtkomen. Het voorkomt niet alles hoor, maar wel aardig wat. Om naar spyware te zoeken en het te verwijderen moet je scannen met AdAware SE of Spybot - Search & Destroy. Doe dat regelmatig, want er zal altijd wel iets op je pc terechtkomen.

 

[don_nl]

Oke, ik zal af en toe scannen met adaware, en dan kan ik alles zonder probleem verwijderen toch? er zijn ook verschillende tabbladen in dat programma, van verschillende soorten bestanden, moet ik dan eventueel alleen die met het beestje op het tabblad verwijderen?

don