Mededeling

Collapse
No announcement yet.

check hijacklog GMO svp

Collapse
X
  •  
  • Tijd
  • Show
Clear All
new posts

  • check hijacklog GMO svp

    Ik heb Adaware gedraaid en alles gecleaned wat AW aangaf. Daarna Hijack gedraaid. Nadat alles gecleaned is en ik opnieuw opstart komt m.n de volgende malware naar voren:
    istbar regkey Hkey-users.s-1-5-21-3161323026-4139940787-2929000479-1005\software\ist en .... \ist"recover'.
    Als ik in register kijk nadat Adaware gedraaid heeft zijn ze weg, maar na opstart staan ze weer in de registers. Uit de hijack log die ik hiervoor gedraaid heb, heb ik verwijderd:
    R3-URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497)-(no file) en
    O4-HKLM\..\Run:[IST service] C:\Pogram Files\Istsvc\istsvc.exe
    Kunnen jullie svp aangeven of bovenstaande weer terug moet en zoja hoe en svp onderstaande hijack log checken en svp aangeven wat eruit kan:

    Logfile of HijackThis v1.97.7
    Scan saved at 23:45:05, on 4-1-2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
    C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\windows\system32\taskmgn.exe
    C:\WINDOWS\tlkfwefc.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Documents and Settings\Gert Mooij\Menu Start\Programma's\Opstarten\winupdate96163810[1].exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\ssoftsrv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\unzipped\Hijack This\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.arnhem.chello.nl:8080
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.startpagina.nl/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
    O4 - HKLM\..\Run: [IW_ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [Windows Task Manager] C:\windows\system32\taskmgn.exe
    O4 - HKLM\..\Run: [hoVStJ1QX] C:\WINDOWS\tlkfwefc.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: winupdate96163810[1].exe
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37718.344375
    O16 - DPF: {A16C2BF4-501E-45FA-8A14-F26E022D5E16} (MidRadioCtrl Class) - http://adweb.music-eclub.com/php/adweb.php3?aid=143&arg=win%2Fmrinste.cab&ptx=mratdl
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab

    Dank. gr gert

  • #2
    Hoi Gert,

    Ik kijk en lees alleen nog mee, om logs te kunnen beoordelen, maar ik zie dat jij een oude versie van hijack this hebt.
    Download en installeer versie 1.99.0 van HijackThis http://www.nucia.eu/downloads/hijackthis/index.html
    Maak daarmee een nieuw log en plaats dat hier.

    Groeten Oossie
    Oossie

    Comment


    • #3
      GMO hijack log nieuwste versie check pls

      Oorspronkelijk geplaatst door Oossie
      Hoi Gert,

      Ik kijk en lees alleen nog mee, om logs te kunnen beoordelen, maar ik zie dat jij een oude versie van hijack this hebt.
      Download en installeer versie 1.99.0 van HijackThis http://www.nucia.eu/downloads/hijackthis/index.html
      Maak daarmee een nieuw log en plaats dat hier.

      Groeten Oossie
      Onderstaand dan de log met de laatste versie van hijack. Mijn vragen uit m'n eerste email blijven hetzelfde. Dank. gr Gert

      Logfile of HijackThis v1.99.0
      Scan saved at 17:08:26, on 5-1-2005
      Platform: Windows XP SP1 (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\csrss.exe
      C:\WINDOWS\SYSTEM32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
      C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
      C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
      C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
      C:\WINDOWS\System32\carpserv.exe
      C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
      C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
      C:\Program Files\Common Files\Symantec Shared\ccApp.exe
      C:\windows\system32\taskmgn.exe
      C:\WINDOWS\tlkfwefc.exe
      C:\WINDOWS\System32\ctfmon.exe
      C:\Documents and Settings\Gert Mooij\Menu Start\Programma's\Opstarten\winupdate96163810[1].exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\WINDOWS\System32\SCardSvr.exe
      C:\Program Files\Norton AntiVirus\navapsvc.exe
      C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
      C:\WINDOWS\System32\nvsvc32.exe
      C:\WINDOWS\system32\ssoftsrv.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
      C:\WINDOWS\System32\wuauclt.exe
      C:\WINDOWS\explorer.exe
      C:\Program Files\ISTsvc\istsvc.exe
      C:\Program Files\Messenger\msmsgs.exe
      C:\unzipped\Hijack This\hijackthis vs1990.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.startpagina.nl/
      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.arnhem.chello.nl:8080
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
      O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
      O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
      O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
      O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
      O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
      O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
      O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [CARPService] carpserv.exe
      O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
      O4 - HKLM\..\Run: [IW_ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
      O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
      O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
      O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
      O4 - HKLM\..\Run: [Windows Task Manager] C:\windows\system32\taskmgn.exe
      O4 - HKLM\..\Run: [hoVStJ1QX] C:\WINDOWS\tlkfwefc.exe
      O4 - HKLM\..\Run: [¢‰¸K0¨4W
      }ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tlkfwefc.exe
      O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
      O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
      O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
      O4 - Startup: winupdate96163810[1].exe
      O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
      O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
      O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
      O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
      O16 - DPF: {A16C2BF4-501E-45FA-8A14-F26E022D5E16} (MidRadioCtrl Class) - http://adweb.music-eclub.com/php/adweb.php3?aid=143&arg=win%2Fmrinste.cab&ptx=mratdl
      O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
      O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
      O18 - Filter: text/x-mrml - {C51721BE-858B-4A66-A8BF-D2882FF49820} - C:\Program Files\YAMAHA\MidRadio Player\MidRadio.ocx
      O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
      O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
      O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
      O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
      O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
      O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
      O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
      O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
      O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
      O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
      O23 - Service: Cryptainer service - Unknown - ssoftsrv.exe (file missing)
      O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
      O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

      Comment


      • #4
        Zoals je ziet is dat 04-item dat je had gefixt gewoon teruggekomen. Er is meer voor nodig om ISTsvc/ISTbar definitief te verwijderen.


        1. Scan met HijackThis en vink de volgende items aan:

        O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)

        O4 - HKLM\..\Run: [Windows Task Manager] C:\windows\system32\taskmgn.exe
        O4 - HKLM\..\Run: [hoVStJ1QX] C:\WINDOWS\tlkfwefc.exe
        O4 - HKLM\..\Run: [¢‰¸K0¨4W
        }ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tlkfwefc.exe
        O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

        O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
        Sluit alle vensters behalve HijackThis zelf en klik op "Fix checked".

        2. Herstart de pc in veilige modus.
        Mocht je niet weten hoe dat moet, kijk dan hier even: http://www.virushelp.nl/veilige_modus.htm

        Zorg ervoor dat verborgen bestanden en mappen worden weergegeven.
        Hier kun je lezen hoe dat moet: http://users.telenet.be/marcvn/spyware/1117602.htm

        Verwijder nu, in veilige modus dus, de volgende bestanden en mappen:

        C:\Program Files\ISTsvc <- die map
        C:\WINDOWS\tlkfwefc.exe <- dat bestand
        C:\WINDOWS\system32\taskmgn.exe <- dat bestand (LET OP: niet verwarren met taskmgr.exe!)

        3. Herstart de pc in 'normale modus'.

        4. Maak een nieuw log en plaats dat hier.

        Comment


        • #5
          hijacklog na cleaning procedure GMO

          Hi Buffy bedankt voor je support. Heb gedaan wat je zei. Onderstaand de hijack log die ik daarna gemaakt heb. Volgens mij staat de Taskmngn.exe er nog in. Deze ook eruit halen? Graag advies. Dank gr gert

          Logfile of HijackThis v1.99.0
          Scan saved at 23:45:26, on 5-1-2005
          Platform: Windows XP SP1 (WinNT 5.01.2600)
          MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

          Running processes:
          C:\WINDOWS\System32\smss.exe
          C:\WINDOWS\SYSTEM32\winlogon.exe
          C:\WINDOWS\system32\services.exe
          C:\WINDOWS\system32\lsass.exe
          C:\WINDOWS\system32\svchost.exe
          C:\WINDOWS\System32\svchost.exe
          C:\WINDOWS\Explorer.EXE
          C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
          C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
          C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
          C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
          C:\WINDOWS\system32\spoolsv.exe
          C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
          C:\WINDOWS\System32\nvsvc32.exe
          C:\WINDOWS\system32\ssoftsrv.exe
          C:\WINDOWS\System32\svchost.exe
          C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
          C:\WINDOWS\System32\wuauclt.exe
          C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
          C:\WINDOWS\SOINTGR.EXE
          C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
          C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
          C:\Program Files\DSB\dsb.exe
          C:\Program Files\Common Files\Symantec Shared\ccApp.exe
          C:\WINDOWS\System32\carpserv.exe
          C:\WINDOWS\System32\ctfmon.exe
          C:\Program Files\SpywareGuard\sgmain.exe
          C:\Documents and Settings\Gert Mooij\Menu Start\Programma's\Opstarten\winupdate96163810[1].exe
          C:\Program Files\SpywareGuard\sgbhp.exe
          C:\WINDOWS\System32\msiexec.exe
          c:\windows\system32\taskmgn.exe
          C:\Program Files\Norton AntiVirus\navapsvc.exe
          C:\Program Files\Messenger\msmsgs.exe
          C:\unzipped\Hijack This\hijackthis vs1990.exe

          R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
          R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.startpagina.nl/
          R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.arnhem.chello.nl:8080
          R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
          O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
          O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
          O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
          O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
          O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
          O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
          O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
          O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
          O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
          O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
          O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
          O4 - HKLM\..\Run: [Remote_Agent] C:\Program Files\CyberLink\PowerVCRII\RemoteAgent.exe
          O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
          O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
          O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
          O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
          O4 - HKLM\..\Run: [IW_ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
          O4 - HKLM\..\Run: [DSB] C:\Program Files\DSB\dsb.exe
          O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
          O4 - HKLM\..\Run: [CARPService] carpserv.exe
          O4 - HKLM\..\Run: [Agent] C:\Program Files\CyberLink\PowerVCRII\Agent.exe
          O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
          O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmgn.exe
          O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
          O4 - HKCU\..\Run: [EzAgent] C:\Program Files\ASUS\ASUS FM Radio\ezagent.exe
          O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
          O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
          O4 - Startup: winupdate96163810[1].exe
          O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
          O4 - Global Startup: Monitor.lnk = ?
          O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
          O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
          O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
          O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
          O16 - DPF: {A16C2BF4-501E-45FA-8A14-F26E022D5E16} (MidRadioCtrl Class) - http://adweb.music-eclub.com/php/adweb.php3?aid=143&arg=win%2Fmrinste.cab&ptx=mratdl
          O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
          O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
          O18 - Filter: text/x-mrml - {C51721BE-858B-4A66-A8BF-D2882FF49820} - C:\Program Files\YAMAHA\MidRadio Player\MidRadio.ocx
          O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
          O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
          O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
          O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
          O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
          O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
          O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
          O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
          O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
          O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
          O23 - Service: Cryptainer service - Unknown - ssoftsrv.exe (file missing)
          O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

          Comment


          • #6
            1. Scan met HijackThis en vink de volgende items aan:

            O4 - HKLM\..\Run: [DSB] C:\Program Files\DSB\dsb.exe
            O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
            O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmgn.exe

            O16 - DPF: {A16C2BF4-501E-45FA-8A14-F26E022D5E16} (MidRadioCtrl Class) - http://adweb.music-eclub.com/php/adw...cab&ptx=mratdl
            Sluit alle vensters behalve HijackThis zelf en klik op "Fix checked".

            2. Herstart de pc in veilige modus.
            Mocht je niet weten hoe dat moet, kijk dan hier even: http://www.virushelp.nl/veilige_modus.htm

            Zorg ervoor dat verborgen bestanden en mappen worden weergegeven.
            Hier kun je lezen hoe dat moet: http://users.telenet.be/marcvn/spyware/1117602.htm

            Verwijder nu, in veilige modus dus, de volgende bestanden en mappen:

            C:\Program Files\DSB <- die map
            c:\windows\system32\taskmgn.exe <- dat bestand

            3. Herstart de pc in 'normale modus'.

            4. Maak een nieuw log en plaats dat hier.

            Comment


            • #7
              3e hijack log na uitvoering instructies GMO

              Hi Buffy bedankt weer. Onderstaand de derde log na uitvoering van jouw instructies. Die taskmgn.exe blijft maar terugkomen, terwijl ik zeker weet die ook weggegooid te hebben. gr Gert

              Logfile of HijackThis v1.99.0
              Scan saved at 18:16:21, on 6-1-2005
              Platform: Windows XP SP1 (WinNT 5.01.2600)
              MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

              Running processes:
              C:\WINDOWS\System32\smss.exe
              C:\WINDOWS\SYSTEM32\winlogon.exe
              C:\WINDOWS\system32\services.exe
              C:\WINDOWS\system32\lsass.exe
              C:\WINDOWS\system32\svchost.exe
              C:\WINDOWS\System32\svchost.exe
              C:\WINDOWS\Explorer.EXE
              C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
              C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
              C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
              C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
              C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
              C:\WINDOWS\SOINTGR.EXE
              C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
              C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
              C:\WINDOWS\system32\spoolsv.exe
              C:\Program Files\Common Files\Symantec Shared\ccApp.exe
              C:\WINDOWS\System32\carpserv.exe
              C:\WINDOWS\System32\ctfmon.exe
              C:\Program Files\SpywareGuard\sgmain.exe
              C:\Documents and Settings\Gert Mooij\Menu Start\Programma's\Opstarten\winupdate96163810[1].exe
              C:\Program Files\SpywareGuard\sgbhp.exe
              C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
              C:\WINDOWS\System32\nvsvc32.exe
              C:\WINDOWS\system32\ssoftsrv.exe
              C:\WINDOWS\System32\svchost.exe
              C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
              C:\WINDOWS\System32\msiexec.exe
              C:\WINDOWS\System32\wuauclt.exe
              C:\Program Files\Norton AntiVirus\navapsvc.exe
              C:\WINDOWS\System32\wuauclt.exe
              c:\windows\system32\taskmgn.exe
              C:\unzipped\Hijack This\hijackthis vs1990.exe
              C:\Program Files\Messenger\msmsgs.exe

              R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
              R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.startpagina.nl/
              R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.arnhem.chello.nl:8080
              R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
              O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
              O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
              O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
              O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
              O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
              O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
              O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
              O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
              O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
              O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
              O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
              O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
              O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
              O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
              O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
              O4 - HKLM\..\Run: [IW_ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
              O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
              O4 - HKLM\..\Run: [CARPService] carpserv.exe
              O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
              O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
              O4 - Startup: winupdate96163810[1].exe
              O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
              O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
              O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
              O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
              O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
              O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
              O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
              O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
              O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
              O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
              O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
              O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
              O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
              O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
              O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
              O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
              O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
              O23 - Service: Cryptainer service - Unknown - ssoftsrv.exe (file missing)
              O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

              Comment


              • #8
                Dan dit maar even proberen:

                Download Pocket Killbox: http://www.bleepingcomputer.com/file...re/KillBox.zip
                Unzip het naar een eigen map.

                Start Pocket Killbox (dubbelklikken op KillBox.exe).


                Kopieer de volgende vetgedrukte regel en plak die in de box bij "Full Path of File to Delete":

                c:\windows\system32\taskmgn.exe

                Selecteer "Delete on Reboot".
                Klik op de rode knop met het witte kruis.
                Klik "Yes" als KillBox vraagt of je nu wilt rebooten.
                Klik nogmaals "Yes" als KillBox om bevestiging vraagt.

                De pc wordt nu opnieuw opgestart.


                Maak daarna een nieuw HijackThis-log en plaats dat hier.


                (Komt het nog terug, dan zit er ergens een boosdoener die in het HJT-log niet te zien is. Die zullen we dan moeten gaan opsporen.)

                Comment


                • #9
                  hijacklog na cleaning met killbot

                  Dit is de log na jouw instructies om mbv killbot te verwijderen. Zo te zien wil die nog niet erg. Weer bedankt. gr Gert

                  Logfile of HijackThis v1.99.0
                  Scan saved at 18:46:00, on 6-1-2005
                  Platform: Windows XP SP1 (WinNT 5.01.2600)
                  MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

                  Running processes:
                  C:\WINDOWS\System32\smss.exe
                  C:\WINDOWS\SYSTEM32\winlogon.exe
                  C:\WINDOWS\system32\services.exe
                  C:\WINDOWS\system32\lsass.exe
                  C:\WINDOWS\system32\svchost.exe
                  C:\WINDOWS\System32\svchost.exe
                  C:\WINDOWS\Explorer.EXE
                  C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
                  C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
                  C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
                  C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
                  C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
                  C:\WINDOWS\SOINTGR.EXE
                  C:\WINDOWS\system32\spoolsv.exe
                  C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
                  C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
                  C:\Program Files\Common Files\Symantec Shared\ccApp.exe
                  C:\WINDOWS\System32\carpserv.exe
                  C:\WINDOWS\System32\ctfmon.exe
                  C:\Program Files\SpywareGuard\sgmain.exe
                  C:\Documents and Settings\Gert Mooij\Menu Start\Programma's\Opstarten\winupdate96163810[1].exe
                  C:\Program Files\SpywareGuard\sgbhp.exe
                  C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
                  C:\WINDOWS\System32\nvsvc32.exe
                  C:\WINDOWS\system32\ssoftsrv.exe
                  C:\WINDOWS\System32\svchost.exe
                  C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
                  C:\WINDOWS\System32\msiexec.exe
                  c:\windows\system32\taskmgn.exe
                  C:\Program Files\Messenger\msmsgs.exe
                  C:\WINDOWS\System32\wuauclt.exe
                  C:\Program Files\Norton AntiVirus\navapsvc.exe
                  C:\WINDOWS\System32\wuauclt.exe
                  C:\unzipped\Hijack This\hijackthis vs1990.exe

                  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
                  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.startpagina.nl/
                  R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.arnhem.chello.nl:8080
                  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
                  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
                  O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
                  O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
                  O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
                  O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
                  O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
                  O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
                  O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
                  O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
                  O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
                  O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
                  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
                  O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
                  O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
                  O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
                  O4 - HKLM\..\Run: [IW_ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
                  O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
                  O4 - HKLM\..\Run: [CARPService] carpserv.exe
                  O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmgn.exe
                  O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
                  O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
                  O4 - Startup: winupdate96163810[1].exe
                  O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
                  O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
                  O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
                  O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
                  O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
                  O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
                  O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
                  O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
                  O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
                  O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
                  O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
                  O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
                  O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
                  O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
                  O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
                  O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
                  O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
                  O23 - Service: Cryptainer service - Unknown - ssoftsrv.exe (file missing)
                  O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

                  Comment


                  • #10
                    verdere zoektocht naar taskmgn.exe GMO

                    Buffy ik heb inmiddels ook Spybot S&D geladen. Hiermee systeem gecleaned. Daar kwamen nog 4 spywares naar voren. Die heb ik verwijderd. Een ervan was niet te verwijderen. Spybot gaf hiervoor het onderstaande aan:
                    Kazaa.Inc.Spybot12.RoyLomag:Autorun settings (Registry value, nothing done)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager
                    Heb je hier wat aan? Zit de boosdoener die we zoeken in Kazaa?
                    gr Gert

                    Comment


                    • #11
                      Nee, het zit niet in Kazaa. "Kazaa.Inc.Spybot12.RoyLomag" is gewoon de naam die Spybot eraan geeft. Wat Spybot vindt is de opstart-entry in het register, maar die zie ik in het HijackThis-log ook wel.

                      Laten we eerst het volgende nog even proberen:

                      1. Schakel SpywareGuard volledig uit. (Wellicht houdt het iets tegen.)

                      2. Open Taakbeheer (Ctrl+Alt+Del), kies het tabblad Processen en beëindig het proces taskmgn.exe.

                      3. Laat HijackThis het volgende item fixen:

                      O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmgn.exe

                      4. Verwijder het bestand taskmgn.exe uit de map c:\windows\system32.

                      5. Start de pc opnieuw op.

                      Komt het terug?

                      Comment


                      • #12
                        Buffy voordat jij je email verstuurde heb ik mbv Spybot de aangegeven spyware in Kazaa verwijderd. Daarna in veilige modus taskmgn.exe verwijderd. Daarna hijack gedraaid en deze gaf bij de O4's niet meer taskmgn.exe aan. Het lijkt erop dat daarmee het probleem is opgelost..... echter Kazaa werkt nu niet meer.

                        Is dit en juiste procedure geweest of moet ik de boel terugdraaien en jouw advies uit je laatste email verder volgen?

                        Kazaa is nu niet meer in staat een verbinding te maken. Het betreft Kazaa+ light, waarvan gezegd wordt dat het geen spyware bevat. Ik zou toch wel Kazaa willen blijven gebruiken. Wat doet de taskmgn en wat kan hij aanrichten? Kennelijk heb ik deze al in m'n PC sinds ik Kazaa heb geinstalleerd een paar jaar geleden.

                        gr gert

                        Comment


                        • #13
                          Zoals ik al aangaf is "Kazaa.Inc.Spybot12.RoyLomag" alleen maar een naam die Spybot hieraan geeft. Het bestand taskmgn.exe heeft helemaal niets met Kazaa Lite te maken. Wees blij dat het is verwijderd, want taskmgn.exe moet je niet op je pc hebben staan. We komen het vaak tegen in combinatie met de nare Casino Palazzo hijacker en ook bij infecties met varianten van de RBot worm.

                          Ik gebruik zelf geen Kazaa (Lite), maar lees de laatste tijd vaak over problemen met verbinding maken. Dat schijnt gewoon met het Kazaa netwerk te maken te hebben. Soms moet je gewoon flink wat geduld opbrengen voordat verbinding ontstaat, naar het schijnt.

                          MAAR: ik raad het gebruik van Kazaa Lite sowieso af. Dat programma mag dan geen spyware bevatten, het netwerk van Kazaa (waar je dus van downloadt) stikt van de virussen, trojans en spyware. Als ik jou was, zou ik Kazaa Lite verwijderen en een beter, veiliger alternatief gaan gebruiken.

                          Comment


                          • #14
                            Laatste hijacklog?

                            Buffy ik doe nog een laatste hijack log erbij. Hebben we hiermee dan m'n PC clean? Alvast harstikke bedankt. gr gert

                            Logfile of HijackThis v1.99.0
                            Scan saved at 12:32:31, on 7-1-2005
                            Platform: Windows XP SP1 (WinNT 5.01.2600)
                            MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

                            Running processes:
                            C:\WINDOWS\System32\smss.exe
                            C:\WINDOWS\SYSTEM32\winlogon.exe
                            C:\WINDOWS\system32\services.exe
                            C:\WINDOWS\system32\lsass.exe
                            C:\WINDOWS\system32\svchost.exe
                            C:\WINDOWS\System32\svchost.exe
                            C:\WINDOWS\Explorer.EXE
                            C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
                            C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
                            C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
                            C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
                            C:\WINDOWS\SOINTGR.EXE
                            C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
                            C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
                            C:\Program Files\Common Files\Symantec Shared\ccApp.exe
                            C:\WINDOWS\System32\carpserv.exe
                            C:\WINDOWS\System32\ctfmon.exe
                            C:\Program Files\SpywareGuard\sgmain.exe
                            C:\WINDOWS\system32\spoolsv.exe
                            C:\Program Files\SpywareGuard\sgbhp.exe
                            C:\Program Files\Norton AntiVirus\navapsvc.exe
                            C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
                            C:\WINDOWS\System32\nvsvc32.exe
                            C:\WINDOWS\system32\ssoftsrv.exe
                            C:\WINDOWS\System32\svchost.exe
                            C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
                            C:\WINDOWS\System32\wuauclt.exe
                            C:\Program Files\Norton AntiVirus\OPScan.exe
                            C:\Program Files\Internet Explorer\iexplore.exe
                            C:\Program Files\Messenger\msmsgs.exe
                            C:\unzipped\Hijack This\hijackthis vs1990.exe

                            R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
                            R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.startpagina.nl/
                            R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.arnhem.chello.nl:8080
                            R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
                            O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
                            O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
                            O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
                            O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
                            O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
                            O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
                            O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
                            O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
                            O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
                            O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
                            O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
                            O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
                            O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
                            O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
                            O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
                            O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
                            O4 - HKLM\..\Run: [IW_ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
                            O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
                            O4 - HKLM\..\Run: [CARPService] carpserv.exe
                            O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
                            O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
                            O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
                            O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
                            O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
                            O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
                            O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
                            O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
                            O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
                            O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
                            O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
                            O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
                            O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
                            O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
                            O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
                            O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
                            O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
                            O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
                            O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
                            O23 - Service: Cryptainer service - Unknown - ssoftsrv.exe (file missing)
                            O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

                            Comment


                            • #15
                              Ja, die is wel clean. Al zou ik persoonlijk ervoor kiezen de RealBar nog te verwijderen. Maar dat is aan jou.

                              Comment

                              Sorry, you are not authorized to view this page
                              Working...
                              X
                              😀
                              🥰
                              🤢
                              😎
                              😡
                              👍
                              👎