Mededeling

Collapse
No announcement yet.

HijackThis log - WIE pop-up / Trojans

Collapse
X
  •  
  • Filter
  • Tijd
  • Show
Clear All
new posts

  • HijackThis log - WIE pop-up / Trojans

    Let op: Zelfgetypte tekst is in "VET"

    Hallo!

    Ik had vanmiddag niets te doen, ik was vroeg uit, dus ik ging maar wat "Southpark" kijken. Ik ging een website opzoeken om 't op af te spelen. Ik begin met laden, en ik moet een nieuwe update voor QuickTime downloaden. Dat doe ik braaf. Kort daarna, krijg ik een "Trojanmelding" van Nod32. Ik bleek geen Quicktime gedownload te hebben, maar "Security Toolbar 7.1" Nu heb ik een toolbar, die me probeert z'n programma aan te bieden. Ik krijg de heletijd pop-up's waaring 't zegt dat ik een "To low security level" heb. Dan moet ik weer programma's downloaden, wat ik niet ga doen. Hij opent ook pop-up's met links naar downloads, zodat hij meteen begint, als je op opslaan/uitvoeren klikt.

    Dit is ongelovelijk irritant, en ik hoop dat iemand een oplossing weet.
    Nogmaals, het programma heet "Security Toolbar 7.1". Ik ben Donderdag de 29e Jarig, dus ik hoop dat ik een nieuwe computer krijg.

    P.S. Ik heb "Windows XP"

    -Tom Joosten


    "Hier is mijn HijackThis Log"





    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 16:19:29, on 16-5-2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Sweex WiFi LAN 140 Nitro XM Utility\WlanUtl.exe
    C:\Program Files\Xfire\xfire.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\msdtc.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\system32\mqsvc.exe
    C:\WINDOWS\system32\mqtgsvc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Windows Live\Messenger\usnsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - (no file)
    O2 - BHO: (no name) - {36A91CEC-6C71-4758-B492-397BFC8E96A2} - (no file)
    O2 - BHO: 158117 helper - {427B1FD8-2123-4334-A7D8-7A497363914B} - C:\WINDOWS\system32\158117\158117.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: (no name) - {F31B3634-12AA-41ca-B021-0685C3B3E4CA} - (no file)
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [hid_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrotate.dll" DllVerify
    O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\RunOnce: [NoIE4StubProcessing] C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
    O4 - Global Startup: Sweex WiFi LAN 140 Nitro XM Utility.lnk = ?
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.getietool.com/redirect.php (file missing)
    O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.getietool.com/redirect.php (file missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game04.zylom.com/activex/zylomgamesplayer.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

    --
    End of file - 8336 bytes






    Dat was mijn Hijack Log.

    Ik hoop dat jullie mij verder kunnen helpen.

    -Tom Joosten.

  • #2
    Download: RVAXO.exe
    • Sla het bestand op je bureaublad op, dubbelklik het en kies voor "Unzip" om het uit te pakken.
    • Start de computer in veilige modus.
    • Open nu de map RVAXO op je bureaublad en dubbeklik RunMe.cmd
      Er zal een cmd-schermpje openen, daarin zullen snel enkele regels over niet gevonden bestanden voorbijkomen, dit is normaal.
    • Mogelijk start er ook een uninstaller van een rogue scanner op, sluit deze niet af maar volg eventuele aanwijzingen en laat deze gewoon zijn werk doen.
    • Daarna zal je PC herstarten, laat hem nu weer in normale modus starten. Na de herstart opent het cmd-venster van RVAXO opnieuw.
      Laat deze lopen en wacht tot er een logfile opent: C:\RVAXO-results.log
    • Herstart je computer niet vanzelf, of start de tool niet na de reboot, doe dit dan handmatig.
    • Post de inhoud van de logfile in je volgende bericht.
    Post ook de inhoud van het 2e logje: C:\RVAXO-Vfind.log

    Comment


    • #3
      Hier is de inhoud van m'n logje.



      ---RVAXO.exe Updated: 2008-05-16---first run---
      Uninstallers:

      Files found:
      C:\WINDOWS\SwSys1.bmp
      C:\WINDOWS\SwSys2.bmp
      C:\WINDOWS\system32\winpfz32.sys
      C:\WINDOWS\system32\zxdnt3d.cfg
      C:\WINDOWS\system32\msnav32.ax
      C:\WINDOWS\system32\adssite-remove.exe
      C:\WINDOWS\system32\gzmrot-uninst.exe
      C:\Documents and Settings\TOM\FAVORI~1\Online Security Test.url

      Folders Found:
      C:\WINDOWS\System32\158117
      C:\Program Files\FunWebProducts
      C:\Program Files\MyWebSearch

      Hosts-file was reset, If you use a custom hosts file please replace it...

      --------------RVAXO.exe last run---------------
      Not deleted items:

      --------------RVAXO.exe finished----------------




      PS. Bedankt voor je snelle reactie!

      Comment


      • #4
        Oorspronkelijk geplaatst door smeenk Bekijk Berichten
        Post ook de inhoud van het 2e logje: C:\RVAXO-Vfind.log
        Doe daar maar een nieuw logje van Hijackthis bij

        Comment


        • #5
          Logfile of Trend Micro HijackThis v2.0.2
          Scan saved at 17:44:20, on 16-5-2008
          Platform: Windows XP SP2 (WinNT 5.01.2600)
          MSIE: Internet Explorer v7.00 (7.00.6000.16640)
          Boot mode: Normal

          Running processes:
          C:\WINDOWS\System32\smss.exe
          C:\WINDOWS\system32\winlogon.exe
          C:\WINDOWS\system32\services.exe
          C:\WINDOWS\system32\lsass.exe
          C:\WINDOWS\system32\svchost.exe
          C:\WINDOWS\System32\svchost.exe
          C:\WINDOWS\system32\spoolsv.exe
          C:\WINDOWS\Explorer.EXE
          C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
          C:\Program Files\Bonjour\mDNSResponder.exe
          C:\Program Files\Eset\nod32krn.exe
          C:\WINDOWS\system32\mqsvc.exe
          C:\WINDOWS\system32\mqtgsvc.exe
          C:\Program Files\Eset\nod32kui.exe
          C:\Program Files\iTunes\iTunesHelper.exe
          C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
          C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
          C:\WINDOWS\system32\ctfmon.exe
          C:\Program Files\Messenger\msmsgs.exe
          C:\Program Files\Sweex WiFi LAN 140 Nitro XM Utility\WlanUtl.exe
          C:\Program Files\iPod\bin\iPodService.exe
          C:\WINDOWS\System32\svchost.exe
          C:\WINDOWS\system32\devldr32.exe
          C:\PROGRA~1\Mozilla Firefox\firefox.exe
          C:\Program Files\Windows Live\Messenger\usnsvc.exe
          C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

          R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
          R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
          R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
          R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
          R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
          R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
          R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
          R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
          R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
          R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
          R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
          R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
          R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
          O2 - BHO: 158117 helper - {427B1FD8-2123-4334-A7D8-7A497363914B} - C:\WINDOWS\system32\158117\158117.dll (file missing)
          O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
          O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
          O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
          O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
          O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
          O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
          O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
          O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
          O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
          O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
          O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
          O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
          O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
          O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
          O4 - Global Startup: Sweex WiFi LAN 140 Nitro XM Utility.lnk = ?
          O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
          O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
          O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
          O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
          O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
          O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
          O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
          O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
          O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
          O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
          O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game04.zylom.com/activex/zylomgamesplayer.cab
          O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
          O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
          O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
          O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
          O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
          O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
          O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
          O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
          O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

          --
          End of file - 7130 bytes


          Nieuwe HijackThis Log.

          -Tom Joosten

          Comment


          • #6
            Start Hijackthis en vink alleen de volgende regels aan:
            R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
            R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
            R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
            R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
            R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
            R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
            R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
            R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
            R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
            O2 - BHO: 158117 helper - {427B1FD8-2123-4334-A7D8-7A497363914B} - C:\WINDOWS\system32\158117\158117.dll (file missing)

            Sluit alle openstaande vensters(behalve Hijackthis) en klik op "Fix checked".

            Herstart je computer.

            Post na de herstart een nieuw logje van Hijackthis ter controle

            Comment


            • #7
              NA de herstart:

              Logfile of Trend Micro HijackThis v2.0.2
              Scan saved at 18:13:05, on 16-5-2008
              Platform: Windows XP SP2 (WinNT 5.01.2600)
              MSIE: Internet Explorer v7.00 (7.00.6000.16640)
              Boot mode: Normal

              Running processes:
              C:\WINDOWS\System32\smss.exe
              C:\WINDOWS\system32\winlogon.exe
              C:\WINDOWS\system32\services.exe
              C:\WINDOWS\system32\lsass.exe
              C:\WINDOWS\system32\svchost.exe
              C:\WINDOWS\System32\svchost.exe
              C:\WINDOWS\system32\spoolsv.exe
              C:\WINDOWS\Explorer.EXE
              C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
              C:\Program Files\Bonjour\mDNSResponder.exe
              C:\Program Files\Eset\nod32krn.exe
              C:\Program Files\Eset\nod32kui.exe
              C:\Program Files\iTunes\iTunesHelper.exe
              C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
              C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
              C:\WINDOWS\system32\ctfmon.exe
              C:\Program Files\Messenger\msmsgs.exe
              C:\WINDOWS\system32\mqsvc.exe
              C:\Program Files\Sweex WiFi LAN 140 Nitro XM Utility\WlanUtl.exe
              C:\WINDOWS\system32\devldr32.exe
              C:\WINDOWS\system32\mqtgsvc.exe
              C:\Program Files\iPod\bin\iPodService.exe
              C:\WINDOWS\System32\svchost.exe
              C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

              R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
              R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
              R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
              R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
              R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
              O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
              O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
              O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
              O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
              O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
              O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
              O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
              O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
              O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
              O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
              O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
              O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
              O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
              O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
              O4 - Global Startup: Sweex WiFi LAN 140 Nitro XM Utility.lnk = ?
              O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
              O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
              O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
              O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
              O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
              O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
              O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
              O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
              O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
              O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
              O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game04.zylom.com/activex/zylomgamesplayer.cab
              O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
              O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
              O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
              O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
              O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
              O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
              O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
              O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
              O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

              --
              End of file - 6006 bytes



              Ben ik nu ook 't probleem kwijt?

              Ik heb meestal met msn "Loader.exe" kan niet laden, nu niet meer


              BEDANKT!

              -Tom Joosten

              Comment


              • #8
                Logje ziet er goed uit

                Wil je dit nog even proberen?

                Start - Uitvoeren en geef dan bij het invulvenster de volgende regel in:
                start notepad C:\rvaxo-vfind.log
                Druk op OK.

                Als het goed is opent er dan een logje, zou je de inhoud daarvan nog even willen posten

                Comment


                • #9
                  ======C:\WINDOWS====
                  ----a-w 0 2008-05-16 15:15:00 C:\WINDOWS\0.log
                  --s-a-w 2,048 2008-05-16 15:14:39 C:\WINDOWS\bootstat.dat
                  ----a-w 109 2008-04-17 13:56:35 C:\WINDOWS\GMouse.ini
                  ----a-w 7,867 2008-05-16 14:07:28 C:\WINDOWS\IDNMitigationAPIs.log
                  ----a-w 9,843 2008-05-16 14:08:21 C:\WINDOWS\ie7.log
                  ----a-w 52,201 2008-05-16 14:11:50 C:\WINDOWS\ie7_main.log
                  ----a-w 7,313 2008-05-16 14:06:28 C:\WINDOWS\KB915865.log
                  ----a-w 10,960 2008-05-16 14:10:03 C:\WINDOWS\KB944533-IE7.log
                  ----a-w 9,563 2008-05-16 14:10:52 C:\WINDOWS\KB947864-IE7.log
                  ----a-w 7,859 2008-05-16 14:07:00 C:\WINDOWS\NLSDownlevelMapping.log
                  ----a-w 57,348 2008-05-16 15:11:25 C:\WINDOWS\ntbtlog.txt
                  ----a-w 1,409 2008-04-20 19:21:15 C:\WINDOWS\QTFont.for
                  ---ha-w 54,156 2008-05-16 12:57:46 C:\WINDOWS\QTFont.qfn
                  ----a-w 32,590 2008-05-16 15:10:15 C:\WINDOWS\SchedLgU.Txt
                  ----a-w 60 2008-05-16 15:02:59 C:\WINDOWS\setupact.log
                  ----a-w 43,675 2008-05-16 14:26:07 C:\WINDOWS\setupapi.log
                  ----a-w 0 2008-05-16 15:02:59 C:\WINDOWS\setuperr.log
                  ----a-w 6,272 2008-05-16 15:14:57 C:\WINDOWS\spupdsvc.log
                  ----a-w 0 2008-05-08 19:54:06 C:\WINDOWS\Sti_Trace.log
                  ----a-w 1,650 2008-05-16 14:10:01 C:\WINDOWS\updspapi.log
                  ----a-w 216 2008-05-16 15:10:04 C:\WINDOWS\wiadebug.log
                  ----a-w 49 2008-05-16 15:10:05 C:\WINDOWS\wiaservc.log
                  ----a-w 1,493,231 2008-05-16 15:09:35 C:\WINDOWS\WindowsUpdate.log

                  Entries: 23 (21)
                  Directories: 0 Files: 23
                  Bytes: 1,798,419 Blocks: 3,524
                  ======C:\WINDOWS\system32=====
                  ----a-w 16,863,864 2008-05-09 12:35:06 C:\WINDOWS\System32\MRT.exe
                  ----a-w 51,176 2008-05-16 13:02:09 C:\WINDOWS\System32\perfc009.dat
                  ----a-w 65,086 2008-05-16 13:02:09 C:\WINDOWS\System32\perfc013.dat
                  ----a-w 355,420 2008-05-16 13:02:09 C:\WINDOWS\System32\perfh009.dat
                  ----a-w 409,240 2008-05-16 13:02:09 C:\WINDOWS\System32\perfh013.dat
                  ----a-w 889,994 2008-05-16 13:02:07 C:\WINDOWS\System32\PerfStringBackup.INI
                  ----a-w 822,165 2008-05-16 05:10:02 C:\WINDOWS\System32\RVAXO.bat
                  ----a-w 2,206 2008-05-16 15:15:16 C:\WINDOWS\System32\wpa.dbl

                  Entries: 8 (8)
                  Directories: 0 Files: 8
                  Bytes: 19,459,151 Blocks: 38,011
                  ======C:\WINDOWS\system32\drivers=====
                  Entries: 0 (0)
                  Directories: 0 Files: 0
                  Bytes: 0 Blocks: 0
                  =======C:\Program Files=====
                  Entries: 0 (0)
                  Directories: 0 Files: 0
                  Bytes: 0 Blocks: 0
                  =======C:=====
                  -c--a-w 601 2008-05-16 15:13:07 C:\firstrun6.log
                  --sha-w 401,985,536 2008-05-16 15:14:37 C:\hiberfil.sys
                  --sha-w 602,873,856 2008-05-16 15:14:35 C:\pagefile.sys
                  -c--a-w 736 2008-05-16 15:17:53 C:\RVAXO-results.log
                  -c--a-w 2,996 2008-05-16 15:17:54 C:\RVAXO-Vfind.log

                  Entries: 5 (3)
                  Directories: 0 Files: 5
                  Bytes: 1,004,863,725 Blocks: 1,962,626
                  ======C:\Documents and Settings\TOM\Application Data======
                  Entries: 0 (0)
                  Directories: 0 Files: 0
                  Bytes: 0 Blocks: 0
                  ======C:\Documents and Settings\TOM======
                  ----a-w 4,876 2008-05-03 20:31:14 C:\Documents and Settings\TOM\.recently-used.xbel
                  ----a-w 4,120,576 2008-05-16 15:13:37 C:\Documents and Settings\TOM\ntuser.dat
                  ---ha-w 32,768 2008-05-16 15:17:45 C:\Documents and Settings\TOM\ntuser.dat.LOG
                  --sh--w 188 2008-05-16 15:09:52 C:\Documents and Settings\TOM\ntuser.ini

                  Entries: 4 (2)
                  Directories: 0 Files: 4
                  Bytes: 4,158,408 Blocks: 8,123
                  ======C:\WINDOWS\Downloaded Program Files====
                  Entries: 0 (0)
                  Directories: 0 Files: 0
                  Bytes: 0 Blocks: 0
                  =============


                  Dat was 't dan, Ik zal over 'n halfuurtje nog eens kijken of je 't hebt weggezet.

                  DANKJEDANKJEDANKJE!

                  -Tom Joosten

                  Comment


                  • #10
                    Geen foute bestanden meer te bekennen

                    Doe dit nog:

                    Schakel Systeemherstel uit. Herstart de computer. Schakel Systeemherstel weer in.
                    Kijk hier hoe je je systeemherstel moet uitschakelen.
                    Hiermee verwijder je eventuele restanten van de infecties uit je systeemherstel.

                    Groeten smeenk

                    Comment


                    • #11
                      gedaan, bedankt!

                      Comment


                      • #12
                        Graag gedaan hoor

                        Comment

                        Sorry, you are not authorized to view this page
                        Working...
                        X