Mededeling

**Buffy** · 12-11-04, 19:52

1. Scan met HijackThis en vink de volgende items aan:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/MStart2Page/Portal/portal.html

R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)

O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000000} - C:\WINDOWS\system32\IEHelper.dll

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [OpenMstart] C:\WINDOWS\system32\mmgr32.exe
O4 - HKLM\..\RunOnce: [*yvq4] rundll32.exe C:\DOCUME~1\Rene\LOCALS~1\Temp\yvq4.tmp,Initialize

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Sluit alle vensters behalve HijackThis zelf en klik op "Fix checked".

2. Herstart de pc in veilige modus.
Mocht je niet weten hoe dat moet, kijk dan hier even: http://www.virushelp.nl/veilige_modus.htm

Zorg ervoor dat verborgen bestanden en mappen worden weergegeven.
Hier kun je lezen hoe dat moet: http://users.telenet.be/marcvn/spyware/1117602.htm

Verwijder nu, in veilige modus dus, de volgende bestanden en mappen:

C:\WINDOWS\system32\mmgr32.exe <- dat bestand
C:\WINDOWS\System32\P2P Networking <- die map
C:\Program Files\MStart2Page <- die map

En leeg de map:

C:\Documents and Settings\Rene\Local Settings\Temp <- alles wat in die map zit verwijderen

3. Herstart de pc in 'normale modus'.

4. Maak een nieuw log en plaats dat hier.

**lifetec** · 13-11-04, 10:29

2e logfile voor Buffy

Logfile of HijackThis v1.98.2
Scan saved at 11:25:41, on 13-11-2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trust\250S Series\lwbwheel.exe
C:\Program Files\NetPumper\NetPumperIEProxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\NoAds\NoAds.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Rene\Mijn documenten\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.brabant.chello.nl:8080
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Trust\250S Series\lwbwheel.exe
O4 - HKLM\..\Run: [NetPumper] "C:\Program Files\NetPumper\NetPumperIEProxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OpenMstart] C:\WINDOWS\system32\mmgr32.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - Startup: Registration-InstantCopy.lnk = C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\Pixie\RegTool.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download with NetPumper - C:\Program Files\NetPumper\AddUrl.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

**Buffy** · 13-11-04, 10:53

Waarom heb je P2P Networking niet verwijderd?

1. Scan met HijackThis en vink de volgende twee items aan:

O4 - HKLM\..\Run: [OpenMstart] C:\WINDOWS\system32\mmgr32.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

Sluit alle vensters behalve HijackThis zelf en klik op "Fix checked".

2. Herstart de pc in veilige modus.
Zorg ervoor dat verborgen bestanden en mappen worden weergegeven.

Verwijder: C:\WINDOWS\System32\P2P Networking <- die map

3. Herstart de pc in 'normale modus'.

4. Maak een nieuw log en plaats dat hier.

**lifetec** · 15-11-04, 15:51

3e logfile voor Buffy

Logfile of HijackThis v1.98.2
Scan saved at 16:46:27, on 15-11-2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trust\250S Series\lwbwheel.exe
C:\Program Files\NetPumper\NetPumperIEProxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NoAds\NoAds.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Rene\Mijn documenten\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.brabant.chello.nl:8080
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Trust\250S Series\lwbwheel.exe
O4 - HKLM\..\Run: [NetPumper] "C:\Program Files\NetPumper\NetPumperIEProxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - Startup: Registration-InstantCopy.lnk = C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\Pixie\RegTool.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download with NetPumper - C:\Program Files\NetPumper\AddUrl.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

**Buffy** · 15-11-04, 16:19

Dit log is schoon.

Tips om deze problemen in het vervolg te voorkomen:

Nucia Security Forums

http://www.nucia.eu/...thread.php?t=55

Nucia Security Forums

http://www.nucia.eu/...hoevoorkom.html

**lifetec** · 15-11-04, 17:13

Bedankje

Buffy bedankt voor de moeite en de tijd.

Met vriendelijke groeten,
Lifetec

**Buffy** · 15-11-04, 17:23

Graag gedaan.

Mededeling

Logje lifetec

Logje lifetec

Comment

Comment

Comment

Comment

Comment

Comment

Comment