Mededeling

Collapse
No announcement yet.

log van collega

Collapse
X
Collapse
  •  
  • Page of 1
  • Tijd
  • Show
Clear All
new posts
Vorige template Volgende
  • #1

    log van collega

    Hoi,
    Gescand met ad-aware 4800 objecten weggehaald.
    Nu een log gemaakt.
    Is er nog een redding mogelijk.

    Logfile of HijackThis v1.99.0
    Scan saved at 14:05:40, on 5-1-2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Classic PhoneTools\CapFax.EXE
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
    C:\Program Files\Digital Image\Monitor.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\WINDOWS\system32\r_server.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    C:\WINDOWS\TEMP\ABCD94.EXE
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\ZoneLabs\MINILOG.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\hijack\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Startportal/Portal/portal.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door @Home
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O1 - Hosts: 205.177.124.66 auto.search.msn.com
    O2 - BHO: (no name) - {008DB894-99ED-445D-8547-0E7C9808898D} - C:\WINDOWS\mslagent\4b_1,0,1,2_mslagent.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [anvshell] anvshell.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1029.dll,InstantAccess
    O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\mslagent\mslagent_.exe
    O4 - HKCU\..\Run: [SYSfit] C:\WINDOWS\SYSfit.exe
    O4 - Global Startup: Digital Image Monitor.lnk = C:\Program Files\Digital Image\Monitor.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxmk14244US
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O14 - IERESET.INF: START_PAGE_URL=http://start.home.nl/
    O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
    O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1029_EN_XP.cab
    O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab
    O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111111} - http://www.mediaswitch.nl/eromedia/launcher.exe
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.exe
    O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN_XP.cab
    O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
    O16 - DPF: {4C0942C1-C405-4805-B3B6-EA16F2DDD1BD} (innova-Panorama-Viewer Object) - http://www.innova-webplaner.de/innova/pano/prog/HOL/rundum.cab
    O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://www.erototaal.nl/plugin/animalsexfilmsnl063.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.pornocams.nl/pornofilms.exe
    O16 - DPF: {A02780C3-7F77-4E28-855B-28890F3CF37A} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMLIB_1034_pack_XP.cab
    O16 - DPF: {A51DEDCD-20F7-11D4-98A5-00C0CA130748} - http://exe.dialer.tintel.nl/tcw.cab
    O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1012_EN_XP.cab
    O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://www.p3.postbank.nl/GTO/PBGNX.cab
    O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab
    O19 - User stylesheet: C:\WINDOWS\hh.htt (file missing) (HKLM)
    O20 - AppInit_DLLs: ctrlpan.dll
    O23 - Service: TrueVector Basic Logging Client - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\minilog.exe
    O23 - Service: OfficeScanNT RealTime Scan - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    O23 - Service: ASUS Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: OfficeScanNT Personal Firewall - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
    O23 - Service: Remote Administrator Service - Unknown - C:\WINDOWS\system32\r_server.exe
    O23 - Service: OfficeScanNT Listener - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    Labels: Geen
      • Citaat
    • #2
      Je collega heeft een flinke verzameling porno-dialers aangelegd, Puppie.


      1. Scan met HijackThis en vink de volgende items aan:

      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Startportal/Portal/portal.html
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

      R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

      O1 - Hosts: 205.177.124.66 auto.search.msn.com

      O2 - BHO: (no name) - {008DB894-99ED-445D-8547-0E7C9808898D} - C:\WINDOWS\mslagent\4b_1,0,1,2_mslagent.dll (file missing)

      O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
      O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm
      O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1029.dll,InstantAccess
      O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\mslagent\mslagent_.exe
      O4 - HKCU\..\Run: [SYSfit] C:\WINDOWS\SYSfit.exe
      O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

      O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZNxmk14244US

      O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downloadv3.com/binarie...1029_EN_XP.cab
      O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binarie...tc32_EN_XP.cab
      O16 - DPF: {11111111-1111-1111-1111-111111111111} - http://www.mediaswitch.nl/eromedia/launcher.exe
      O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...tup1.0.0.8.exe
      O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binarie...ia32_EN_XP.cab
      O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binarie...hv32_EN_XP.cab
      O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://www.erototaal.nl/plugin/animalsexfilmsnl063.exe
      O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.pornocams.nl/pornofilms.exe
      O16 - DPF: {A02780C3-7F77-4E28-855B-28890F3CF37A} - http://akamai.downloadv3.com/binarie...34_pack_XP.cab
      O16 - DPF: {A51DEDCD-20F7-11D4-98A5-00C0CA130748} - http://exe.dialer.tintel.nl/tcw.cab
      O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} - http://akamai.downloadv3.com/binarie...1012_EN_XP.cab
      O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binarie...pe32_EN_XP.cab

      O19 - User stylesheet: C:\WINDOWS\hh.htt (file missing) (HKLM)

      O20 - AppInit_DLLs: ctrlpan.dll
      Sluit alle vensters behalve HijackThis zelf en klik op "Fix checked".

      2. Herstart de pc in veilige modus.
      Mocht je niet weten hoe dat moet, kijk dan hier even: http://www.virushelp.nl/veilige_modus.htm

      Zorg ervoor dat verborgen bestanden en mappen worden weergegeven.
      Hier kun je lezen hoe dat moet: http://users.telenet.be/marcvn/spyware/1117602.htm

      Verwijder nu, in veilige modus dus, de volgende bestanden en mappen (voor zover nog aanwezig):

      C:\Windows\System32\sncntr.exe <- dat bestand
      C:\Windows\System32\ctrlpan.dll <- dat bestand
      C:\Program Files\Startportal <- die map
      C:\Program Files\MyWebSearch <- die map

      En leeg de map:

      C:\Windows\Temp <- verwijder alles wat in die map zit

      3. Herstart de pc in 'normale modus'.

      4. Maak een nieuw log en plaats dat hier.
        • Citaat

        Comment

        • #3
          bedankt alvast.
          gaan we morgen doen.
          de driver van het beeldschermligt op dit moment dwars.
          zodra het gereed is plaats ik weer en log.
          Ja en dan de porno hij is bijna met pensioen.
            • Citaat

            Comment

            • #4
              En hier is dan een tweede log.
              Ondertussen sp2 er ook maar opgezet.

              Logfile of HijackThis v1.99.0
              Scan saved at 13:59:12, on 6-1-2005
              Platform: Windows XP SP2 (WinNT 5.01.2600)
              MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

              Running processes:
              C:\WINDOWS\System32\smss.exe
              C:\WINDOWS\system32\winlogon.exe
              C:\WINDOWS\system32\services.exe
              C:\WINDOWS\system32\lsass.exe
              C:\WINDOWS\system32\svchost.exe
              C:\WINDOWS\System32\svchost.exe
              C:\WINDOWS\system32\spoolsv.exe
              C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
              C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
              C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
              C:\WINDOWS\system32\r_server.exe
              C:\WINDOWS\System32\svchost.exe
              C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
              C:\WINDOWS\system32\ZoneLabs\vsmon.exe
              C:\PROGRAM FILES\TREND MICRO\OFFICESCAN CLIENT\0FCD0G.EXE
              C:\WINDOWS\system32\ZoneLabs\minilog.exe
              C:\WINDOWS\Explorer.EXE
              C:\WINDOWS\SOUNDMAN.EXE
              C:\Program Files\Classic PhoneTools\CapFax.EXE
              C:\Program Files\Logitech\iTouch\iTouch.exe
              C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
              C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
              C:\Program Files\Real\RealPlayer\RealPlay.exe
              C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
              C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
              C:\WINDOWS\System32\ctfmon.exe
              C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
              C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
              C:\Program Files\Digital Image\Monitor.exe
              C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
              C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
              C:\hijack\hijackthis.exe

              R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
              R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door @Home
              R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
              R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
              O1 - Hosts: 205.177.124.66 auto.search.msn.com
              O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
              O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
              O4 - HKLM\..\Run: [anvshell] anvshell.exe
              O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
              O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
              O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
              O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
              O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
              O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
              O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
              O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
              O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
              O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
              O4 - HKCU\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
              O4 - Global Startup: Digital Image Monitor.lnk = C:\Program Files\Digital Image\Monitor.exe
              O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
              O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
              O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
              O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
              O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
              O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
              O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
              O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
              O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
              O14 - IERESET.INF: START_PAGE_URL=http://start.home.nl/
              O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
              O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
              O16 - DPF: {4C0942C1-C405-4805-B3B6-EA16F2DDD1BD} (innova-Panorama-Viewer Object) - http://www.innova-webplaner.de/innova/pano/prog/HOL/rundum.cab
              O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
              O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://www.p3.postbank.nl/GTO/PBGNX.cab
              O19 - User stylesheet: C:\WINDOWS\hh.htt (file missing) (HKLM)
              O20 - AppInit_DLLs: ctrlpan.dll
              O23 - Service: TrueVector Basic Logging Client - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\minilog.exe
              O23 - Service: OfficeScanNT RealTime Scan - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
              O23 - Service: ASUS Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
              O23 - Service: OfficeScanNT Personal Firewall - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
              O23 - Service: Remote Administrator Service - Unknown - C:\WINDOWS\system32\r_server.exe
              O23 - Service: OfficeScanNT Listener - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
              O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
                • Citaat

                Comment

                • #5
                  Met dat installeren van SP2 had je beter nog even kunnen wachten, want SP2 installeren op pc's waar spyware op staat kan grote problemen geven. Maar dat is nu mosterd na de maaltijd.



                  1. Download CWShredder alvast, maar gebruik het nog niet: http://cwshredder.net/bin/CWShredder.exe

                  2. Scan met HijackThis en vink de volgende items aan:

                  O1 - Hosts: 205.177.124.66 auto.search.msn.com

                  O19 - User stylesheet: C:\WINDOWS\hh.htt (file missing) (HKLM)

                  O20 - AppInit_DLLs: ctrlpan.dll
                  Sluit alle vensters behalve HijackThis zelf en klik op "Fix checked".

                  3. Draai nu CWShredder. Gebruik de "Fix" knop.

                  4. Herstart de pc in veilige modus.
                  Zorg ervoor dat verborgen bestanden en mappen worden weergegeven.

                  Verwijder het volgende bestand (indien nog aanwezig):

                  C:\Windows\System32\ctrlpan.dll <- dat bestand

                  5. Herstart de pc in 'normale modus'.

                  6. Maak een nieuw log en plaats dat hier.
                  Last edited by Buffy; 06-01-05, 19:54.
                    • Citaat

                    Comment

                    • #6
                      Sorry voor de ondoordachte actie van sp2.
                      maar even een vraag tussen door.
                      Kan iets van spyware de videokaart ook dwars zitten.
                      Vanmorgen een ander kaartje er in gezet werkte perfect.
                      collega neemt pc mee naar huis, sluit computer weer aan weer geen beeld.
                      Ik ga er mogen weer naartoe en kijken wat dat is.

                      in ieder geval tot nu toe al bedank.
                        • Citaat

                        Comment

                        • #7
                          Oorspronkelijk geplaatst door puppie
                          Kan iets van spyware de videokaart ook dwars zitten.
                          Helemaal uitsluiten kan ik dat niet, maar het is niet erg waarschijnlijk.
                            • Citaat

                            Comment

                            • #8
                              Zo daar zijn we weer.
                              Het video probleem is nu opgelost, een pal kaart zat in de weg.
                              Maar het onderstaande wil nog niet lukken.
                              Het verwijderen in de veilige modus van ctrlpan.dll wil maar niet lukken.
                              Ook het scannen van cwshredder geeft een foutmelding.
                              Er is een fout opgetreden in cwshredder, helaas moeten we dit sluiten en dan kan ik een rapport verzenden naar microsoft.

                              hier is de log, is er nog hoop???

                              Logfile of HijackThis v1.99.0
                              Scan saved at 11:07:05, on 7-1-2005
                              Platform: Windows XP SP2 (WinNT 5.01.2600)
                              MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

                              Running processes:
                              C:\WINDOWS\System32\smss.exe
                              C:\WINDOWS\system32\winlogon.exe
                              C:\WINDOWS\system32\services.exe
                              C:\WINDOWS\system32\lsass.exe
                              C:\WINDOWS\system32\svchost.exe
                              C:\WINDOWS\System32\svchost.exe
                              C:\WINDOWS\system32\spoolsv.exe
                              C:\WINDOWS\Explorer.EXE
                              C:\WINDOWS\SOUNDMAN.EXE
                              C:\Program Files\Classic PhoneTools\CapFax.EXE
                              C:\Program Files\Logitech\iTouch\iTouch.exe
                              C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
                              C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
                              C:\Program Files\Real\RealPlayer\RealPlay.exe
                              C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
                              C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
                              C:\WINDOWS\system32\ctfmon.exe
                              C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
                              C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
                              C:\Program Files\Digital Image\Monitor.exe
                              C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
                              C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
                              C:\WINDOWS\system32\ZoneLabs\vsmon.exe
                              C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
                              C:\WINDOWS\system32\ZoneLabs\MINILOG.EXE
                              C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
                              C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
                              C:\WINDOWS\system32\r_server.exe
                              C:\WINDOWS\System32\svchost.exe
                              C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
                              C:\PROGRAM FILES\TREND MICRO\OFFICESCAN CLIENT\0FCD0G.EXE
                              C:\WINDOWS\system32\wuauclt.exe
                              C:\hijack\hijackthis.exe

                              R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
                              R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door @Home
                              R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
                              R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
                              O1 - Hosts: 205.177.124.66 auto.search.msn.com
                              O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
                              O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
                              O4 - HKLM\..\Run: [anvshell] anvshell.exe
                              O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
                              O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
                              O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
                              O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
                              O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
                              O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
                              O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
                              O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
                              O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
                              O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
                              O4 - HKCU\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
                              O4 - Global Startup: Digital Image Monitor.lnk = C:\Program Files\Digital Image\Monitor.exe
                              O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
                              O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
                              O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
                              O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
                              O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
                              O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
                              O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
                              O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                              O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                              O14 - IERESET.INF: START_PAGE_URL=http://start.home.nl/
                              O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
                              O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
                              O16 - DPF: {4C0942C1-C405-4805-B3B6-EA16F2DDD1BD} (innova-Panorama-Viewer Object) - http://www.innova-webplaner.de/innova/pano/prog/HOL/rundum.cab
                              O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
                              O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://www.p3.postbank.nl/GTO/PBGNX.cab
                              O19 - User stylesheet: C:\WINDOWS\hh.htt (file missing) (HKLM)
                              O20 - AppInit_DLLs: ctrlpan.dll
                              O23 - Service: TrueVector Basic Logging Client - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\minilog.exe
                              O23 - Service: OfficeScanNT RealTime Scan - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
                              O23 - Service: ASUS Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
                              O23 - Service: OfficeScanNT Personal Firewall - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
                              O23 - Service: Remote Administrator Service - Unknown - C:\WINDOWS\system32\r_server.exe
                              O23 - Service: OfficeScanNT Listener - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
                              O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
                                • Citaat

                                Comment

                                • #9
                                  Dag Puppie,


                                  1. Download en unzip Pocket Killbox alvast. Gebruik het nog niet.


                                  2. Scan met HijackThis en vink de volgende items aan:

                                  O1 - Hosts: 205.177.124.66 auto.search.msn.com

                                  O19 - User stylesheet: C:\WINDOWS\hh.htt (file missing) (HKLM)

                                  O20 - AppInit_DLLs: ctrlpan.dll
                                  Sluit alle vensters behalve HijackThis zelf en klik op "Fix checked".


                                  3. Start Pocket Killbox (dubbelklikken op KillBox.exe).

                                  - Plak in de adresregel bij "Full Path of File to Delete" de volgende regel:

                                  C:\Windows\System32\ctrlpan.dll

                                  - Selecteer "Delete on Reboot".
                                  - Klik op de rode knop met het witte kruis.
                                  - Klik "Yes" als gevraagd wordt of je wilt rebooten.
                                  - Klik "Yes" als Killbox om bevestiging vraagt.

                                  Je pc wordt nu opnieuw opgestart en het bestand wordt verwijderd.


                                  4. Maak een nieuw HijackThis-log en plaats dat hier.
                                    • Citaat

                                    Comment

                                    • #10
                                      Zo daar zijn we weer.
                                      Die killbox heeft volgens mij zijn werk wel gedaan.
                                      Ik begin er steeds meer plezier in te krijgen.
                                      En dat allemaal van afstand.

                                      Logfile of HijackThis v1.99.0
                                      Scan saved at 19:19:29, on 7-1-2005
                                      Platform: Windows XP SP2 (WinNT 5.01.2600)
                                      MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

                                      Running processes:
                                      C:\WINDOWS\System32\smss.exe
                                      C:\WINDOWS\system32\winlogon.exe
                                      C:\WINDOWS\system32\services.exe
                                      C:\WINDOWS\system32\lsass.exe
                                      C:\WINDOWS\system32\svchost.exe
                                      C:\WINDOWS\System32\svchost.exe
                                      C:\WINDOWS\system32\spoolsv.exe
                                      C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
                                      C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
                                      C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
                                      C:\WINDOWS\system32\r_server.exe
                                      C:\WINDOWS\System32\svchost.exe
                                      C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
                                      C:\PROGRAM FILES\TREND MICRO\OFFICESCAN CLIENT\0FCD0G.EXE
                                      C:\WINDOWS\Explorer.EXE
                                      C:\WINDOWS\anvshell.exe
                                      C:\WINDOWS\SOUNDMAN.EXE
                                      C:\Program Files\Classic PhoneTools\CapFax.EXE
                                      C:\Program Files\Logitech\iTouch\iTouch.exe
                                      C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
                                      C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
                                      C:\Program Files\Real\RealPlayer\RealPlay.exe
                                      C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
                                      C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
                                      C:\WINDOWS\system32\ctfmon.exe
                                      C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
                                      C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
                                      C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
                                      C:\Program Files\Digital Image\Monitor.exe
                                      C:\Program Files\Logitech\iTouch\kbdtray.exe
                                      C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
                                      C:\hijack\hijackthis.exe

                                      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
                                      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door @Home
                                      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
                                      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
                                      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
                                      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
                                      O4 - HKLM\..\Run: [anvshell] anvshell.exe
                                      O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
                                      O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
                                      O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
                                      O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
                                      O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
                                      O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
                                      O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
                                      O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
                                      O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
                                      O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
                                      O4 - HKCU\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
                                      O4 - Global Startup: Digital Image Monitor.lnk = C:\Program Files\Digital Image\Monitor.exe
                                      O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
                                      O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
                                      O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
                                      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
                                      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
                                      O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
                                      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                                      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                                      O14 - IERESET.INF: START_PAGE_URL=http://start.home.nl/
                                      O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
                                      O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
                                      O16 - DPF: {4C0942C1-C405-4805-B3B6-EA16F2DDD1BD} (innova-Panorama-Viewer Object) - http://www.innova-webplaner.de/innova/pano/prog/HOL/rundum.cab
                                      O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
                                      O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://www.p3.postbank.nl/GTO/PBGNX.cab
                                      O20 - AppInit_DLLs: ctrlpan.dll
                                      O23 - Service: OfficeScanNT RealTime Scan - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
                                      O23 - Service: ASUS Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
                                      O23 - Service: OfficeScanNT Personal Firewall - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
                                      O23 - Service: Remote Administrator Service - Unknown - C:\WINDOWS\system32\r_server.exe
                                      O23 - Service: OfficeScanNT Listener - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
                                        • Citaat

                                        Comment

                                        • #11
                                          Dit item nog even fixen:

                                          O20 - AppInit_DLLs: ctrlpan.dll
                                            • Citaat

                                            Comment

                                            • #12
                                              En hopelijkis die ctrlpan.dll nu verdwenen.
                                              Hier weer een log.

                                              Logfile of HijackThis v1.99.0
                                              Scan saved at 19:37:19, on 7-1-2005
                                              Platform: Windows XP SP2 (WinNT 5.01.2600)
                                              MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

                                              Running processes:
                                              C:\WINDOWS\System32\smss.exe
                                              C:\WINDOWS\system32\winlogon.exe
                                              C:\WINDOWS\system32\services.exe
                                              C:\WINDOWS\system32\lsass.exe
                                              C:\WINDOWS\system32\svchost.exe
                                              C:\WINDOWS\System32\svchost.exe
                                              C:\WINDOWS\system32\spoolsv.exe
                                              C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
                                              C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
                                              C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
                                              C:\WINDOWS\system32\r_server.exe
                                              C:\WINDOWS\System32\svchost.exe
                                              C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
                                              C:\PROGRAM FILES\TREND MICRO\OFFICESCAN CLIENT\0FCD0G.EXE
                                              C:\WINDOWS\Explorer.EXE
                                              C:\WINDOWS\anvshell.exe
                                              C:\WINDOWS\SOUNDMAN.EXE
                                              C:\Program Files\Classic PhoneTools\CapFax.EXE
                                              C:\Program Files\Logitech\iTouch\iTouch.exe
                                              C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
                                              C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
                                              C:\Program Files\Real\RealPlayer\RealPlay.exe
                                              C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
                                              C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
                                              C:\WINDOWS\system32\ctfmon.exe
                                              C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
                                              C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
                                              C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
                                              C:\Program Files\Digital Image\Monitor.exe
                                              C:\Program Files\Logitech\iTouch\kbdtray.exe
                                              C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
                                              C:\hijack\hijackthis.exe

                                              R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
                                              R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door @Home
                                              R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
                                              R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
                                              O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
                                              O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
                                              O4 - HKLM\..\Run: [anvshell] anvshell.exe
                                              O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
                                              O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
                                              O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
                                              O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
                                              O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
                                              O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
                                              O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
                                              O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
                                              O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
                                              O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
                                              O4 - HKCU\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
                                              O4 - Global Startup: Digital Image Monitor.lnk = C:\Program Files\Digital Image\Monitor.exe
                                              O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
                                              O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
                                              O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
                                              O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
                                              O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
                                              O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
                                              O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                                              O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                                              O14 - IERESET.INF: START_PAGE_URL=http://start.home.nl/
                                              O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
                                              O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
                                              O16 - DPF: {4C0942C1-C405-4805-B3B6-EA16F2DDD1BD} (innova-Panorama-Viewer Object) - http://www.innova-webplaner.de/innova/pano/prog/HOL/rundum.cab
                                              O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
                                              O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://www.p3.postbank.nl/GTO/PBGNX.cab
                                              O23 - Service: OfficeScanNT RealTime Scan - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
                                              O23 - Service: ASUS Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
                                              O23 - Service: OfficeScanNT Personal Firewall - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
                                              O23 - Service: Remote Administrator Service - Unknown - C:\WINDOWS\system32\r_server.exe
                                              O23 - Service: OfficeScanNT Listener - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
                                                • Citaat

                                                Comment

                                                • #13
                                                  En die is schoon, Puppie.

                                                  Zet nog wel even de puntjes op de i:
                                                  - tijdelijke mappen e.d. legen;
                                                  - systeemherstel uitzetten, rebooten, systeemherstel weer aanzetten;
                                                  - nog een volledige scan met AdAware SE.

                                                  Installeer ook wat preventieve software op die pc. Gezien het type sites dat deze collega kennelijk graag bezoekt, is dat hard nodig.
                                                    • Citaat

                                                    Comment

                                                    • #14
                                                      Heel erg bedankt

                                                      Buffy,

                                                      heel heel heel erg bedankt voor de goede service.
                                                      Ik heb het al eens eerder gezegd als je in enschede bent dan mag je een keer gratis zwemmen, met aanhang.

                                                      maar de collega bezoekt die sites echt niet uit vrije wil.
                                                      Ik denk dat het kwam omdat XP geen enkele update had, geen sp1 en of sp2.
                                                      Nu is hij weer helemaal bij.
                                                      De rest van de aanbevelingen ga ik vanaf de bank ook no even uitvoeren.

                                                      Nogmaals HARTELIJK bedankt.
                                                        • Citaat

                                                        Comment

                                                        • #15
                                                          Graag gedaan hoor.
                                                            • Citaat

                                                            Comment

                                                            Vorige template Volgende
                                                            Sorry, you are not authorized to view this page
                                                            Working...
                                                            X
                                                            😀
                                                            🥰
                                                            🤢
                                                            😎
                                                            😡
                                                            👍
                                                            👎