Mededeling

Collapse
No announcement yet.

IE naar chinese sites & computer sluit traag af

Collapse
X
  •  
  • Filter
  • Tijd
  • Show
Clear All
new posts

  • IE naar chinese sites & computer sluit traag af

    Hallo,
    Ik zit hier met een pc die traag opstart, traag afsluit en regelmatig naar chinese sites springt.
    S&D heeft reeds een smitfraud verwijderd en adaware heeft reeds eerder besmette bestanden verwijderd maar er blijven blijkbaar resten achter die voor nieuwe besmettingen zorgen. (o.a. upxdnd.exe)

    Hierbij mijn Hijacklog, gaarne enige hulp.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 23:20:38, on 26-1-2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\SurfRight\Caretaker\CaretakerService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\SurfRight\Caretaker\AntispamService.exe
    C:\Program Files\SurfRight\Caretaker\CaretakerProxy.exe
    C:\Program Files\SurfRight\Caretaker\CaretakerUpdater.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Userinit.exe
    C:\Program Files\AntiVirusKit 2004\AVKService.exe
    C:\Program Files\AntiVirusKit 2004\AVKWCtl.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\173e1.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\svch0st.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Lexmark 4300 Series\ezprint.exe
    C:\program files\extrafilm photoassistant\Agent.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\SurfRight\Caretaker\Notifier.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    c:\program files\digital photo image\monitor.exe
    C:\WINDOWS\system32\lxcecoms.exe
    c:\program files\trend micro\hijackthis\hijackthis.exe
    c:\program files\internet explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.telenet.be
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Telenet Internet
    R3 - Default URLSearchHook is missing
    F3 - REG:win.ini: load=C:\WINDOWS\svch0st.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe,C:\WINDOWS\system32\ModeDriver.exe
    O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.2 localhost
    O2 - BHO: AdPopup - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:\Program Files\Common Files\CPUSH\cpush1.dll
    O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
    O2 - BHO: (no name) - {471B15AD-7A9C-491D-9C19-4E15B12DCE00} - C:\Program Files\Internet Explorer\PLUGINS\NvSys_55.Sys
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - c:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Invoke Class - {5FB8C5D4-929F-4870-89E2-7E3EE26EE701} - C:\WINDOWS\system32\c171.dll
    O2 - BHO: (no name) - {A45B2C37-01D0-4D3E-BE5E-CC119B17BE9E} - C:\Program Files\Internet Explorer\IEXPLORE32.win
    O2 - BHO: (no name) - {C5E87A05-F463-4841-B19E-DD3EC3862368} - C:\Program Files\Internet Explorer\IEXPLORE32.Sys
    O2 - BHO: (no name) - {EE12D60D-AD9A-4095-B839-3BE6862679FD} - C:\Program Files\Internet Explorer\IEXPLORE32.Dat
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [Xerox WorkCentre 470cx Monitor] RUNDLL32.EXE C:\WINDOWS\system32\X470SHLL.DLL,AutoUpdatePnPValue
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
    O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,[email protected]
    O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
    O4 - HKLM\..\Run: [ExtraFilmHemmaAgent] "C:\program files\extrafilm photoassistant\Agent.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [CaretakerNotifier] C:\Program Files\SurfRight\Caretaker\Notifier.exe
    O4 - HKLM\..\Run: [MsPrint32D] C:\WINDOWS\hpypxw.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKLM\..\Policies\Explorer\Run: [djxnesnof] djxnesnof.exe
    O4 - HKLM\..\Policies\Explorer\Run: [mne6] rundll32 "C:\WINDOWS\Downlo~1\mne6.dll",Run
    O4 - HKLM\..\Policies\Explorer\Run: [ib1i1f] rundll32 "C:\WINDOWS\Downlo~1\ib1i1f.dll",start
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
    O4 - HKUS\S-1-5-21-2025429265-764733703-725345543-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Monitor.lnk = ?
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - c:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - c:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.telenet.be
    O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: AVK Service (AVKService) - Unknown owner - C:\Program Files\AntiVirusKit 2004\AVKService.exe
    O23 - Service: AVK Monitor (AVKWCtl) - Unknown owner - C:\Program Files\AntiVirusKit 2004\AVKWCtl.exe
    O23 - Service: Caretaker Antispam Service (CaretakerAntispam) - SurfRight B.V. - C:\Program Files\SurfRight\Caretaker\AntispamService.exe
    O23 - Service: Caretaker Proxy (CaretakerProxy) - SurfRight B.V. - C:\Program Files\SurfRight\Caretaker\CaretakerProxy.exe
    O23 - Service: Caretaker Service (CaretakerSvc) - SurfRight B.V. - C:\Program Files\SurfRight\Caretaker\CaretakerService.exe
    O23 - Service: Caretaker Updater (CaretakerUpdate) - SurfRight B.V. - C:\Program Files\SurfRight\Caretaker\CaretakerUpdater.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Portable Media Serial Number Services (WmdmPmSNs) - Unknown owner - C:\WINDOWS\system32\u-191930723g.exe (file missing)
    O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\system32\drivers\svchost.exe (file missing)

    --
    End of file - 8383 bytes

  • #2
    Hi Herv27,

    1. Ik zie dat je TeaTimer van Spybot op de achtergrond hebt draaien, deze kan in de weg zitten met het fixen van HijackThis-regels. Zet daarom de TeaTimer eventjes uit, dit doe je op de volgende manier:

    1. Start Spybot Search and Destroy.
    2. Ga naar 'Mode' > selecteer Advanced Mode
    3. Ga naar 'Tools' en klik op het Resident-icoon in de lijst
    4. Haal het vinkje weg bij Resident TeaTimer en klik OK

    5. Download nu [url=http://downloads.subratam.org/ResetTeaTimer.bat]ResetTeaTimer.bat naar je bureaublad. (rechtsklikken -> opslaan als..)
    6. Open nu ResetTeaTimer.bat vanaf je bureaublad.

    TeaTimer is nu uitgezet en gereset.

    2. Start HijackThis en kies voor 'Do a system scan only'.
    Als de scan compleet is vink dan alleen de onderstaande regels in HijackThis aan:

    F3 - REG:win.ini: load=C:\WINDOWS\svch0st.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe,C:\WINDOWS\system32\ModeDriver.exe
    O2 - BHO: AdPopup - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:\Program Files\Common Files\CPUSH\cpush1.dll
    O2 - BHO: Invoke Class - {5FB8C5D4-929F-4870-89E2-7E3EE26EE701} - C:\WINDOWS\system32\c171.dll
    O2 - BHO: (no name) - {A45B2C37-01D0-4D3E-BE5E-CC119B17BE9E} - C:\Program Files\Internet Explorer\IEXPLORE32.win
    O2 - BHO: (no name) - {C5E87A05-F463-4841-B19E-DD3EC3862368} - C:\Program Files\Internet Explorer\IEXPLORE32.Sys
    O2 - BHO: (no name) - {EE12D60D-AD9A-4095-B839-3BE6862679FD} - C:\Program Files\Internet Explorer\IEXPLORE32.Dat
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k.
    O4 - HKLM\..\Run: [MsPrint32D] C:\WINDOWS\hpypxw.exe
    O4 - HKLM\..\Policies\Explorer\Run: [djxnesnof] djxnesnof.exe
    O4 - HKLM\..\Policies\Explorer\Run: [mne6] rundll32 "C:\WINDOWS\Downlo~1\mne6.dll",Run
    O4 - HKLM\..\Policies\Explorer\Run: [ib1i1f] rundll32 "C:\WINDOWS\Downlo~1\ib1i1f.dll",start


    Sluit nu alle vensters behalve HijackThis zelf en klik op 'Fix checked'.
    Indien er een vraag komt over backups. Antwoord hierop met 'Ja', en sluit hierna HijackThis.

    3. Open een nieuw kladblok bestand.
    Kopieer de onderstaande code in het kladblok bestand.

    Code:
    @ECHO OFF
    IF EXIST log.txt DEL log.txt
    ECHO Deleting files>>log.txt
    FOR %%g in (
    C:\WINDOWS\system32\djxnesnof.exe
    C:\WINDOWS\system32\ModeDriver.exe
    "C:\Program Files\Common Files\CPUSH\cpush1.dll"
    C:\WINDOWS\system32\c171.dll
    C:\WINDOWS\hpypxw.exe
    "C:\WINDOWS\Downlo~1\mne6.dll"
    "C:\WINDOWS\Downlo~1\ib1i1f.dll"
    ) DO (
    IF EXIST %%g (
    ATTRIB -r -s -h %%g
    DEL %%g
    IF EXIST %%g (
    ECHO %%g not deleted>>log.txt
    ) ELSE (
    ECHO %%g deleted>>log.txt)
    ) ELSE (
    ECHO %%g not found>>log.txt))
    START NOTEPAD.EXE log.txt
    Ga naar Bestand -> Opslaan als..
    -- Bij Opslaan in kies je: Bureaublad
    -- Bij Bestandsnaam zet je: Delete.bat
    -- Bij Opslaan als type selecteer je: Alle bestanden (*.*)

    Dubbelklik Delete.bat vanaf je bureaublad.
    Daarna zal een kladblok bestand openen, post de inhoud van dit bestand.

    Post ook een nieuw logje van HijackThis ter controle.

    - Daniël

    Comment


    • #3
      Hallo, bedankt voor de reactie.
      Heb teatimer uitgezet en daarna de ResetteaTimer.bat gedraait.
      Er verschijnt een melding:
      "Windows Script Host access is disabled on this machine.
      Post this in the forum please."
      Is het hiermee afgewerkt en kan ik die melding verder negeren ?

      Ik heb daarna al wel middels Hijackthis de opgegeven regels gefixed.
      Kan ik nu doorgaan met de Delete.bat uitvoering of dient er eerst nog opnieuw iets gestart te worden ivm voorgaande melding bij BeaTimerReset

      Alvast bedankt..

      Comment


      • #4
        Hallo,
        Wscript al uitgezet in registry en Resetteatimer gedraait -> Ready
        Hijack opnieuw gedraait en Delete.bat gedraait.
        BHO C171.dll blijft zichzelf terugcopieren !! (Ook c171dlltemp file )

        SYSTEEM KLOK STAAT NOG NIET BIJ (Staat op 29-1-08, en c171dlltemp bestand dd 26-2-08)


        Hijack log hieronder.

        Logfile of Trend Micro HijackThis v2.0.2
        Scan saved at 17:53:23, on 29-1-2007
        Platform: Windows XP SP2 (WinNT 5.01.2600)
        MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
        Boot mode: Normal

        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\csrss.exe
        C:\WINDOWS\system32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\Program Files\Ahead\InCD\InCDsrv.exe
        C:\Program Files\SurfRight\Caretaker\CaretakerService.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\Program Files\SurfRight\Caretaker\AntispamService.exe
        C:\Program Files\SurfRight\Caretaker\CaretakerProxy.exe
        C:\Program Files\SurfRight\Caretaker\CaretakerUpdater.exe
        C:\WINDOWS\system32\spoolsv.exe
        C:\WINDOWS\SYSTEM32\Userinit.exe
        C:\Program Files\AntiVirusKit 2004\AVKService.exe
        C:\Program Files\AntiVirusKit 2004\AVKWCtl.exe
        C:\Program Files\Common Files\LightScribe\LSSrvc.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\System32\alg.exe
        C:\WINDOWS\explorer.exe
        C:\WINDOWS\system32\spoolsv.exe
        C:\Program Files\Internet Explorer\iexplore.exe
        C:\WINDOWS\SOUNDMAN.EXE
        C:\Program Files\Lexmark 4300 Series\ezprint.exe
        C:\program files\extrafilm photoassistant\Agent.exe
        C:\WINDOWS\system32\173e1.exe
        C:\Program Files\Ahead\InCD\InCD.exe
        C:\Program Files\SurfRight\Caretaker\Notifier.exe
        C:\Program Files\Unlocker\UnlockerAssistant.exe
        C:\WINDOWS\system32\rundll32.exe
        C:\Program Files\Digital Photo Image\Monitor.exe
        C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
        C:\WINDOWS\system32\lxcecoms.exe

        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.telenet.be
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Telenet Internet
        R3 - Default URLSearchHook is missing
        O1 - Hosts: 127.0.0.2 localhost
        O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
        O2 - BHO: (no name) - {471B15AD-7A9C-491D-9C19-4E15B12DCE00} - C:\Program Files\Internet Explorer\PLUGINS\NvSys_55.Sys
        O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
        O2 - BHO: Invoke Class - {5FB8C5D4-929F-4870-89E2-7E3EE26EE701} - C:\WINDOWS\system32\c171.dll
        O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
        O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
        O4 - HKLM\..\Run: [Xerox WorkCentre 470cx Monitor] RUNDLL32.EXE C:\WINDOWS\system32\X470SHLL.DLL,AutoUpdatePnPValue
        O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
        O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,[email protected]
        O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
        O4 - HKLM\..\Run: [ExtraFilmHemmaAgent] "C:\program files\extrafilm photoassistant\Agent.exe"
        O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
        O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
        O4 - HKLM\..\Run: [CaretakerNotifier] C:\Program Files\SurfRight\Caretaker\Notifier.exe
        O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
        O4 - HKLM\..\Policies\Explorer\Run: [j7r38y] rundll32 "C:\WINDOWS\Downlo~1\j7r38y.dll",start
        O4 - HKLM\..\Policies\Explorer\Run: [w8ddnucg] rundll32 "C:\WINDOWS\Downlo~1\w8ddnucg.dll",Run
        O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
        O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
        O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
        O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
        O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
        O4 - Global Startup: Monitor.lnk = ?
        O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
        O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
        O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
        O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
        O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
        O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
        O14 - IERESET.INF: START_PAGE_URL=http://www.telenet.be
        O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
        O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
        O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
        O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
        O23 - Service: AVK Service (AVKService) - Unknown owner - C:\Program Files\AntiVirusKit 2004\AVKService.exe
        O23 - Service: AVK Monitor (AVKWCtl) - Unknown owner - C:\Program Files\AntiVirusKit 2004\AVKWCtl.exe
        O23 - Service: Caretaker Antispam Service (CaretakerAntispam) - SurfRight B.V. - C:\Program Files\SurfRight\Caretaker\AntispamService.exe
        O23 - Service: Caretaker Proxy (CaretakerProxy) - SurfRight B.V. - C:\Program Files\SurfRight\Caretaker\CaretakerProxy.exe
        O23 - Service: Caretaker Service (CaretakerSvc) - SurfRight B.V. - C:\Program Files\SurfRight\Caretaker\CaretakerService.exe
        O23 - Service: Caretaker Updater (CaretakerUpdate) - SurfRight B.V. - C:\Program Files\SurfRight\Caretaker\CaretakerUpdater.exe
        O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
        O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
        O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
        O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
        O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
        O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
        O23 - Service: Portable Media Serial Number Services (WmdmPmSNs) - Unknown owner - C:\WINDOWS\system32\u-191930723g.exe (file missing)
        O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\system32\drivers\svchost.exe (file missing)

        --
        End of file - 7164 bytes
        xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

        Rapportmeldingen van Delete bat:

        Deleting files
        C:\WINDOWS\system32\djxnesnof.exe not found
        C:\WINDOWS\system32\ModeDriver.exe not found
        "C:\Program Files\Common Files\CPUSH\cpush1.dll" not found
        C:\WINDOWS\system32\c171.dll not deleted
        C:\WINDOWS\hpypxw.exe not found
        "C:\WINDOWS\Downlo~1\mne6.dll" deleted
        "C:\WINDOWS\Downlo~1\ib1i1f.dll" deleted
        ----------------------------
        VEILIGE MODUS:
        Deleting files
        C:\WINDOWS\system32\djxnesnof.exe not found
        C:\WINDOWS\system32\ModeDriver.exe not found
        "C:\Program Files\Common Files\CPUSH\cpush1.dll" not found
        C:\WINDOWS\system32\c171.dll deleted
        C:\WINDOWS\hpypxw.exe not found
        "C:\WINDOWS\Downlo~1\mne6.dll" not found
        "C:\WINDOWS\Downlo~1\ib1i1f.dll" not found
        -----------------------------------
        NA HERSTART WINDOWS
        Deleting files
        C:\WINDOWS\system32\djxnesnof.exe not found
        C:\WINDOWS\system32\ModeDriver.exe not found
        "C:\Program Files\Common Files\CPUSH\cpush1.dll" not found
        C:\WINDOWS\system32\c171.dll not deleted
        C:\WINDOWS\hpypxw.exe not found
        "C:\WINDOWS\Downlo~1\mne6.dll" not found
        "C:\WINDOWS\Downlo~1\ib1i1f.dll" not found
        xxxxxxxxxxxxxxxxxxxx

        De mne en ib1if dll's hebben na verwijdering een nieuwe naamvariant gekregen nadat c171 zich teruggecopieerd had (j7r38y.dll en w8ddnucg.dll)

        Hoe krijg ik c171 definitief verwijderd ?
        Gaarne hulp

        Comment


        • #5
          Hallo nogmaals,
          nog 3 maal adaware laten draaien omdat c171.dll zich bleef herplaatsen.
          Weer vele entries en (tmp) files verwijderd door adaware.
          2 besmettingen blijven aanwezig en krijg ik niet door AdAware (definitief) verwijderd, nl:
          3x Win32.AdWare.Cinmus (TAC5)
          55x Win32.TrojanPWS.OnlineGames Object Recognized! (TAC10)

          Ook in de MsConfig opstartlijst blijven vreemde (chinese en vreemde) opstartitems staan.
          xxxxxxxxxxxxx

          Alle items uiteindelijk kunnen fixen.
          De O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k was wedergekeerd (zie deze log) en is na reedas opnieuw gefixed.

          Logfile of Trend Micro HijackThis v2.0.2
          Scan saved at 22:40:46, on 29-2-2008
          Platform: Windows XP SP2 (WinNT 5.01.2600)
          MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
          Boot mode: Normal

          Running processes:
          C:\WINDOWS\System32\smss.exe
          C:\WINDOWS\system32\csrss.exe
          C:\WINDOWS\system32\winlogon.exe
          C:\WINDOWS\system32\services.exe
          C:\WINDOWS\system32\lsass.exe
          C:\WINDOWS\system32\svchost.exe
          C:\WINDOWS\system32\svchost.exe
          C:\WINDOWS\System32\svchost.exe
          C:\Program Files\Ahead\InCD\InCDsrv.exe
          C:\Program Files\SurfRight\Caretaker\CaretakerService.exe
          C:\WINDOWS\System32\svchost.exe
          C:\WINDOWS\System32\svchost.exe
          C:\Program Files\SurfRight\Caretaker\AntispamService.exe
          C:\Program Files\SurfRight\Caretaker\CaretakerProxy.exe
          C:\Program Files\SurfRight\Caretaker\CaretakerUpdater.exe
          C:\WINDOWS\system32\spoolsv.exe
          C:\WINDOWS\SYSTEM32\Userinit.exe
          C:\Program Files\AntiVirusKit 2004\AVKService.exe
          C:\Program Files\AntiVirusKit 2004\AVKWCtl.exe
          C:\Program Files\Common Files\LightScribe\LSSrvc.exe
          C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEserv.exe
          C:\WINDOWS\System32\svchost.exe
          C:\WINDOWS\System32\alg.exe
          C:\WINDOWS\explorer.exe
          C:\WINDOWS\system32\spoolsv.exe
          C:\WINDOWS\SOUNDMAN.EXE
          C:\Program Files\Lexmark 4300 Series\ezprint.exe
          C:\program files\extrafilm photoassistant\Agent.exe
          C:\Program Files\Ahead\InCD\InCD.exe
          C:\Program Files\SurfRight\Caretaker\Notifier.exe
          C:\Program Files\Digital Photo Image\Monitor.exe
          C:\WINDOWS\system32\lxcecoms.exe
          C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

          R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.telenet.be
          R3 - Default URLSearchHook is missing
          O1 - Hosts: 127.0.0.2 localhost
          O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
          O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
          O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
          O4 - HKLM\..\Run: [Xerox WorkCentre 470cx Monitor] RUNDLL32.EXE C:\WINDOWS\system32\X470SHLL.DLL,AutoUpdatePnPValue
          O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
          O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,[email protected]
          O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
          O4 - HKLM\..\Run: [ExtraFilmHemmaAgent] "C:\program files\extrafilm photoassistant\Agent.exe"
          O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
          O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
          O4 - HKLM\..\Run: [CaretakerNotifier] C:\Program Files\SurfRight\Caretaker\Notifier.exe
          O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
          O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
          O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
          O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
          O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
          O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
          O4 - Global Startup: Monitor.lnk = ?
          O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
          O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
          O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
          O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
          O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
          O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
          O14 - IERESET.INF: START_PAGE_URL=http://www.telenet.be
          O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
          O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
          O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
          O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
          O23 - Service: AVK Service (AVKService) - Unknown owner - C:\Program Files\AntiVirusKit 2004\AVKService.exe
          O23 - Service: AVK Monitor (AVKWCtl) - Unknown owner - C:\Program Files\AntiVirusKit 2004\AVKWCtl.exe
          O23 - Service: Caretaker Antispam Service (CaretakerAntispam) - SurfRight B.V. - C:\Program Files\SurfRight\Caretaker\AntispamService.exe
          O23 - Service: Caretaker Proxy (CaretakerProxy) - SurfRight B.V. - C:\Program Files\SurfRight\Caretaker\CaretakerProxy.exe
          O23 - Service: Caretaker Service (CaretakerSvc) - SurfRight B.V. - C:\Program Files\SurfRight\Caretaker\CaretakerService.exe
          O23 - Service: Caretaker Updater (CaretakerUpdate) - SurfRight B.V. - C:\Program Files\SurfRight\Caretaker\CaretakerUpdater.exe
          O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
          O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
          O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
          O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
          O23 - Service: LXCECustomerConnect - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\LXCEserv.exe
          O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
          O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
          O23 - Service: Portable Media Serial Number Services (WmdmPmSNs) - Unknown owner - C:\WINDOWS\system32\u-191930723g.exe (file missing)
          O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\system32\drivers\svchost.exe (file missing)

          --
          End of file - 6470 bytes


          xxxxxxxxxxxxxxxxxxxxxxxxxxxx

          Besmettingen (zoals 6B45A520.DLL) hebben ook nog datums van oa. januari jl en ook in de toekomst 2100
          Kunnen deze bijv nog met RWAXO of Combofix verwijderd worden ??

          Comment


          • #6
            Hi,

            Download [url=http://download.bleepingcomputer.com/sUBs/ComboFix.exe]ComboFix en sla het op je bureaublad op.

            OPMERKING: indien je, tijdens of na het downloaden van Combofix of tijdens het gebruik van Combofix een melding krijgt van je antivirus- of een andere realtime scanner, schakel dan deze scanner uit en download ComboFix opnieuw.
            Sommige scanners zien bepaalde componenten die Combofix gebruikt als verdacht en gaan deze blokkeren of verwijderen!
            • Dubbelklik op Combofix.exe
              Volg de instructies, aanvaard de disclaimer door 1 (continue) te typen, gevolgd door ENTER.
              Tijdens het runnen van de fix, NIET in het venster klikken, want dit zal je pc doen vasthangen.

            Wanneer de fix voltooid is en na herstart, zal de log Combofix.txt openen.
            Plaats deze log in je volgende post, samen met een vers HijackThis logje.

            - Daniël

            Comment


            • #7
              Hoi,
              Computer nog niet schoon kunnen krijgen omdat deze zich steeds infecteerd.
              Momenteel nog noodzakelijke bestanden aan het backuppen voordat ik een rigoreuze schoonmaakaktie er op los durf te laten. Wordt pas over enkele dagen duidelijk wat vervolgaktie wordt.

              Comment


              • #8
                Hoi ik neem het even over

                Als je nog hulp nodig hebt stel ik voor dat je even een nieuw logje maakt met Combofix en dat hier in dit topic post.
                Dat logje is nodig om te beoordelen wat er nog gedaan moet worden.

                Groeten smeenk

                Comment

                Sorry, you are not authorized to view this page
                Working...
                X