Mededeling

Collapse
No announcement yet.

Logs van trebor

Collapse
X
  •  
  • Filter
  • Tijd
  • Show
Clear All
new posts

  • Logs van trebor

    Logfile of HijackThis v1.97.7
    Scan saved at 18:20:29, on 2/12/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
    C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\PROGRA~1\INCRED~1\bin\IMApp.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\Robert\LOCALS~1\Temp\Rar$EX00.797\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.qantrerigzqkvllhrucdnpite.com/LkugQFFxXm2NnZEsQoe1MBgDyb2nRxaeyC30Le2JwPdko1zWgGxzDw9eKQxdqIA3.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 c:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [mess meet eggs start] C:\Documents and Settings\All Users\Application Data\Bird Delete Mess Meet\browsemp3.exe
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [Puremess] C:\DOCUME~1\Robert\APPLIC~1\METAPO~1\size play inside.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Figuur openen in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1043\phdintl.dll/phdContext.htm
    O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\PopUpCop\popupcop.dll/imagenew
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O10 - Unknown file in Winsock LSP: c:\program files\antiy labs\agb4\agbfilt.dll
    O10 - Unknown file in Winsock LSP: c:\program files\antiy labs\agb4\agbfilt.dll
    O10 - Unknown file in Winsock LSP: c:\program files\antiy labs\agb4\agbfilt.dll
    O10 - Unknown file in Winsock LSP: c:\program files\antiy labs\agb4\agbfilt.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096121697063
    O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactieve Training\o10c\mitm0026.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

  • #2
    Goedenavond trebor,
    Je logje wordt momenteel nagekeken, ik zal je zo spoedig mogelijk verder helpen.
    gr. jan
    Proud member of UNITE (Unite Against Malware)
    Beveiligings-tips - Pas op voor PUPs!

    "If you think you are too small to be effective, you have never been in the dark with a moscuito"

    Comment


    • #3
      Hallo Trebor. Er is een nieuwere versie van HijackThis dan degene die jij gebruikt. Ga naar http://www.nucia.eu --> downloads --> hijackthis --> ASO HTTP

      Verder sla HijackThis op in een aparte map (mijn docunmenten\hijackthis of c:\program files\hijackthis\

      Post nu een nieuw logbestandje.


      Het rapaille dat per Przewalskipaard arriveerde bij het feeëriek gesitueerde etablissement - komma -

      "Verwar de waarheid niet met de mening van de meerderheid"

      Comment


      • #4
        Nieuwe log met 1.98.2 Searchbar die ik niet kan verwijderenhttp://mysearchnow.com/pas

        Logfile of HijackThis v1.98.2
        Scan saved at 21:25:53, on 2/12/2004
        Platform: Windows XP SP2 (WinNT 5.01.2600)
        MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\csrss.exe
        C:\WINDOWS\system32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\system32\spoolsv.exe
        C:\WINDOWS\Explorer.EXE
        C:\WINDOWS\System32\Ati2evxx.exe
        C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
        C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
        C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
        C:\Program Files\Common Files\Symantec Shared\ccApp.exe
        C:\Program Files\Messenger Plus! 3\MsgPlus.exe
        C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
        C:\WINDOWS\system32\ctfmon.exe
        C:\Program Files\Messenger\msmsgs.exe
        C:\Program Files\Internet Explorer\iexplore.exe
        C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
        C:\PROGRA~1\INCRED~1\bin\IMApp.exe
        C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
        c:\progra~1\intern~1\iexplore.exe
        C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
        C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
        C:\Program Files\SpywareGuard\sgmain.exe
        C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
        C:\Program Files\MSN Messenger\msnmsgr.exe
        C:\Program Files\SpywareGuard\sgbhp.exe
        C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\system32\wdfmgr.exe
        C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
        C:\WINDOWS\System32\MsPMSPSv.exe
        C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
        C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
        C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
        C:\WINDOWS\System32\alg.exe
        C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
        C:\Program Files\IncrediMail\bin\IncMail.exe
        C:\Program Files\Internet Explorer\iexplore.exe
        E:\programmas\Hijack This\hijackthis.exe

        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.twzemlduretttwwfl.com/LkugQFFxXm2NnZEsQoe1MBgDyb2nRxaeyC30Le2JwPeTx_yhuCnyug9eKQxdqIA3.cgi
        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
        R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
        O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
        O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
        O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
        O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
        O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll
        O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
        O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
        O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
        O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
        O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
        O4 - HKLM\..\Run: [Cmaudio] RunDll32 c:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\cmicnfg.cpl,CMICtrlWnd
        O4 - HKLM\..\Run: [mess meet eggs start] C:\Documents and Settings\All Users\Application Data\Bird Delete Mess Meet\browsemp3.exe
        O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
        O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
        O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
        O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
        O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
        O4 - HKCU\..\Run: [Puremess] C:\DOCUME~1\Robert\APPLIC~1\METAPO~1\size play inside.exe
        O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
        O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
        O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
        O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
        O4 - Global Startup: hpoddt01.exe.lnk = ?
        O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
        O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
        O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
        O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
        O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
        O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
        O8 - Extra context menu item: Figuur openen in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1043\phdintl.dll/phdContext.htm
        O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\PopUpCop\popupcop.dll/imagenew
        O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
        O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
        O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096121697063
        O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactieve Training\o10c\mitm0026.cab

        Comment


        • #5
          Admin:

          Oude en nieuwe log samengevoegd tot één topic.


          Het rapaille dat per Przewalskipaard arriveerde bij het feeëriek gesitueerde etablissement - komma -

          "Verwar de waarheid niet met de mening van de meerderheid"

          Comment


          • #6
            Goedenmiddag trebor,

            Omdat de mappen en/of bestanden die je van je PC gaat verwijderen eventueel verborgen kunnen staan moet je eerst alle mappen en bestanden zichtbaar maken.

            Sluit alle vensters, behalve HijackThis (als HijackThis nog niet gestart is, start deze dan).

            Klik, in HijackThis, op 'Scan'.

            Vink, in HijackThis, alleen de volgende regels aan:
            R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.twzemlduretttwwfl.com/Lk...g9eKQxdqIA3.cgi
            R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
            O4 - HKLM\..\Run: [mess meet eggs start] C:\Documents and Settings\All Users\Application Data\Bird Delete Mess Meet\browsemp3.exe
            O4 - HKCU\..\Run: [Puremess] C:\DOCUME~1\Robert\APPLIC~1\METAPO~1\size play inside.exe

            Maak je gebruik van de immuniseer-functie van spybot?
            Zo niet, dan kun je ook de volgende regels aanvinken:
            O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
            O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
            O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

            Ik zie in je log dat je StartPage Guard gebruikt (of in het verleden hebt gebruikt en inmiddels verwijderd).
            Mocht je 'm zelf al hebben verwijdert, dan kun je de volgende regel ook aanvinken:
            O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
            (in dit geval moet ook de map c:\program files\pjw\spguard worden verwijderd)
            Als je het programma nog geinstallerd hebt staan, adviseer ik je deze via <configuratiescherm> <software> te deinstalleren.
            De functie van dit programma wordt nl. overgenomen door Spysweeper.

            Klik op 'fix checked'.

            Start nu je computer op in Veilige Modus.

            Verwijder ook de volgende mappen:
            C:\Documents and Settings\All Users\Application Data\Bird Delete Mess Meet
            C:\Documents and Settings\Robert\Application Data\METAPO~1 (deze map bevat het bestand size play inside.exe)

            Start daarna je computer opnieuw op in normale modus en plaats nogmaals een nieuwe log, ter controle.


            suk6, Jan
            Proud member of UNITE (Unite Against Malware)
            Beveiligings-tips - Pas op voor PUPs!

            "If you think you are too small to be effective, you have never been in the dark with a moscuito"

            Comment


            • #7
              nieuwe log na uitvoering gemeld door ASO

              Logfile of HijackThis v1.98.2
              Scan saved at 17:36:09, on 3/12/2004
              Platform: Windows XP SP2 (WinNT 5.01.2600)
              MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

              Running processes:
              C:\WINDOWS\System32\smss.exe
              C:\WINDOWS\system32\csrss.exe
              C:\WINDOWS\system32\winlogon.exe
              C:\WINDOWS\system32\services.exe
              C:\WINDOWS\system32\lsass.exe
              C:\WINDOWS\system32\svchost.exe
              C:\WINDOWS\system32\svchost.exe
              C:\WINDOWS\System32\svchost.exe
              C:\WINDOWS\System32\svchost.exe
              C:\WINDOWS\System32\svchost.exe
              C:\WINDOWS\system32\spoolsv.exe
              C:\WINDOWS\System32\Ati2evxx.exe
              C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
              C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
              C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
              C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
              C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
              C:\WINDOWS\System32\svchost.exe
              C:\WINDOWS\system32\wdfmgr.exe
              C:\WINDOWS\System32\MsPMSPSv.exe
              C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
              C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
              C:\WINDOWS\System32\alg.exe
              C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
              C:\WINDOWS\Explorer.EXE
              C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
              C:\Program Files\Common Files\Symantec Shared\ccApp.exe
              C:\Program Files\Messenger Plus! 3\MsgPlus.exe
              C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
              C:\WINDOWS\system32\ctfmon.exe
              C:\Program Files\Messenger\msmsgs.exe
              C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
              C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
              C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
              C:\PROGRA~1\INCRED~1\bin\IMApp.exe
              C:\WINDOWS\system32\wuauclt.exe
              C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
              C:\Program Files\MSN Messenger\msnmsgr.exe
              C:\WINDOWS\System32\HPZipm12.exe
              C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
              E:\programmas\Hijack This\hijackthis.exe

              R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yurwekscww.uk/LkugQFFxXm2NnZEsQoe1MBgDyb2nRxaeyC30Le2JwPdwt8hNdHd2Hg9eKQxdqIA3.htm
              R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
              R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
              R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
              O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
              O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
              O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
              O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll
              O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
              O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
              O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
              O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
              O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
              O4 - HKLM\..\Run: [Cmaudio] RunDll32 c:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\cmicnfg.cpl,CMICtrlWnd
              O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
              O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
              O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
              O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
              O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
              O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
              O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
              O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
              O4 - Global Startup: hpoddt01.exe.lnk = ?
              O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
              O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
              O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
              O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
              O8 - Extra context menu item: Figuur openen in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1043\phdintl.dll/phdContext.htm
              O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\PopUpCop\popupcop.dll/imagenew
              O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
              O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
              O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096121697063
              O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactieve Training\o10c\mitm0026.cab

              Comment


              • #8
                Admin:

                Oude en nieuwe log samengevoegd tot één topic.

                Probeer volgende keer alsjeblieft in dezelfde topic te blijven door bovenin de topic op "new reply" te klikken .


                Het rapaille dat per Przewalskipaard arriveerde bij het feeëriek gesitueerde etablissement - komma -

                "Verwar de waarheid niet met de mening van de meerderheid"

                Comment


                • #9
                  Goedenavond Trebor,

                  Als HijackThis niet geopend is, open deze dan en klik op 'Scan'.

                  Vink, in HijackThis, alleen de volgende regel aan:
                  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yurwekscww.uk/LkugQFFxXm...g9eKQxdqIA3.htm

                  Sluit alle openstaande vensters, behalve HijackThis en klik op 'fix checked'

                  Start daarna je computer opnieuw op en plaats nogmaals een nieuwe log, ter controle.


                  suk6, Jan
                  Proud member of UNITE (Unite Against Malware)
                  Beveiligings-tips - Pas op voor PUPs!

                  "If you think you are too small to be effective, you have never been in the dark with a moscuito"

                  Comment


                  • #10
                    Nieuwe log zoals gevraagd &gt; R1 searchbar nog steeds niet verwijderd na fix

                    Logfile of HijackThis v1.98.2
                    Scan saved at 11:13:32, on 6/12/2004
                    Platform: Windows XP SP2 (WinNT 5.01.2600)
                    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

                    Running processes:
                    C:\WINDOWS\System32\smss.exe
                    C:\WINDOWS\system32\csrss.exe
                    C:\WINDOWS\system32\winlogon.exe
                    C:\WINDOWS\system32\services.exe
                    C:\WINDOWS\system32\lsass.exe
                    C:\WINDOWS\system32\svchost.exe
                    C:\WINDOWS\system32\svchost.exe
                    C:\WINDOWS\System32\svchost.exe
                    C:\WINDOWS\System32\svchost.exe
                    C:\WINDOWS\System32\svchost.exe
                    C:\WINDOWS\system32\spoolsv.exe
                    C:\WINDOWS\System32\Ati2evxx.exe
                    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
                    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
                    C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
                    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
                    C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
                    C:\WINDOWS\System32\svchost.exe
                    C:\WINDOWS\system32\wdfmgr.exe
                    C:\WINDOWS\System32\MsPMSPSv.exe
                    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
                    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
                    C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
                    C:\WINDOWS\System32\alg.exe
                    C:\WINDOWS\system32\wuauclt.exe
                    C:\WINDOWS\Explorer.EXE
                    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
                    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
                    C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
                    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
                    C:\Program Files\Java\jre1.5.0\bin\jusched.exe
                    C:\WINDOWS\system32\ctfmon.exe
                    C:\Program Files\Messenger\msmsgs.exe
                    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
                    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
                    c:\progra~1\intern~1\iexplore.exe
                    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
                    C:\PROGRA~1\INCRED~1\bin\IMApp.exe
                    C:\Program Files\Internet Explorer\iexplore.exe
                    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
                    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
                    C:\Program Files\MSN Messenger\msnmsgr.exe
                    E:\programmas\Hijack This\hijackthis.exe

                    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.pgyyvmffkedrdxakfmbszg.com/LkugQFFxXm2NnZEsQoe1MBgDyb2nRxaeyC30Le2JwPcV6YJf/ewXFg9eKQxdqIA3.html
                    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
                    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
                    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
                    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
                    O2 - BHO: (no name) - {087AF3A9-5946-2A13-51A8-FCD34F6DEFA3} - C:\DOCUME~1\Robert\APPLIC~1\COALTE~1\shimcake.exe
                    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
                    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
                    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
                    O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll
                    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
                    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
                    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
                    O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
                    O4 - HKLM\..\Run: [Cmaudio] RunDll32 c:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\cmicnfg.cpl,CMICtrlWnd
                    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
                    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
                    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
                    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
                    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
                    O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
                    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
                    O4 - HKCU\..\Run: [Puremess] C:\DOCUME~1\Robert\APPLIC~1\METAPO~1\size play inside.exe
                    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
                    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
                    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
                    O4 - Global Startup: hpoddt01.exe.lnk = ?
                    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
                    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
                    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
                    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
                    O8 - Extra context menu item: Figuur openen in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1043\phdintl.dll/phdContext.htm
                    O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\PopUpCop\popupcop.dll/imagenew
                    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
                    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
                    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096121697063
                    O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactieve Training\o10c\mitm0026.cab

                    Comment


                    • #11
                      Goedenavond Trebor,

                      Was het, tijdens de eerste schoonmaak-aktie, niet gelukt om de map 'C:\Documents and Settings\Robert\Application Data\METAPO~1' te verwijderen?
                      Deze map (die behoort bij de Hijacker, waar je last van hebt) zorgt nl. nu steeds weer voor herinfectie!



                      Omdat de mappen en/of bestanden die je van je PC gaat verwijderen eventueel
                      verborgen kunnen staan moet je eerst alle mappen en bestanden zichtbaar maken.

                      Open HijackThis en klik op 'Scan'.

                      Vink, in HijackThis, alleen de volgende regels aan:
                      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.pgyyvmffkedrdxakfmbszg.c...9eKQxdqIA3.html
                      O2 - BHO: (no name) - {087AF3A9-5946-2A13-51A8-FCD34F6DEFA3} - C:\DOCUME~1\Robert\APPLIC~1\COALTE~1\shimcake.exe
                      O4 - HKCU\..\Run: [Puremess] C:\DOCUME~1\Robert\APPLIC~1\METAPO~1\size play inside.exe

                      Sluit nu alle vensters, behalve HijackThis

                      Klik, in HijackThis, op 'fix checked'

                      Start nu je computer opnieuw op, in Veilige Modus.

                      Verwijder ook de volgende mappen:
                      C:\Documents and Settings\Robert\Application Data\COALTE~1 (deze map bevat het bestand shimcake.exe)
                      C:\Documents and Settings\Robert\Application Data\METAPO~1 (deze map bevat het bestand size play inside.exe)

                      Start daarna je computer opnieuw op in normale modus en plaats nogmaals een nieuwe log, ter controle.


                      suk6, Jan
                      Proud member of UNITE (Unite Against Malware)
                      Beveiligings-tips - Pas op voor PUPs!

                      "If you think you are too small to be effective, you have never been in the dark with a moscuito"

                      Comment


                      • #12
                        T.A.V. Jahewi
                        nogmaals geprobeerd om METAPO~1 te vewijderen > hierbij nieuwe log na
                        verwijdering zoals door u voorgesteld

                        Scan saved at 19:12:07, on 7/12/2004
                        Platform: Windows XP SP2 (WinNT 5.01.2600)
                        MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

                        Running processes:
                        C:\WINDOWS\System32\smss.exe
                        C:\WINDOWS\system32\csrss.exe
                        C:\WINDOWS\system32\winlogon.exe
                        C:\WINDOWS\system32\services.exe
                        C:\WINDOWS\system32\lsass.exe
                        C:\WINDOWS\system32\svchost.exe
                        C:\WINDOWS\system32\svchost.exe
                        C:\WINDOWS\System32\svchost.exe
                        C:\WINDOWS\System32\svchost.exe
                        C:\WINDOWS\System32\svchost.exe
                        C:\WINDOWS\system32\spoolsv.exe
                        C:\WINDOWS\Explorer.EXE
                        C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
                        C:\Program Files\Common Files\Symantec Shared\ccApp.exe
                        C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
                        C:\Program Files\Messenger Plus! 3\MsgPlus.exe
                        C:\Program Files\Java\jre1.5.0\bin\jusched.exe
                        C:\WINDOWS\system32\ctfmon.exe
                        C:\Program Files\Messenger\msmsgs.exe
                        C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
                        C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
                        C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
                        C:\WINDOWS\System32\Ati2evxx.exe
                        C:\PROGRA~1\INCRED~1\bin\IMApp.exe
                        C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
                        C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
                        C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
                        C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
                        C:\Program Files\MSN Messenger\msnmsgr.exe
                        C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
                        C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
                        C:\WINDOWS\System32\svchost.exe
                        C:\WINDOWS\system32\wdfmgr.exe
                        C:\WINDOWS\System32\MsPMSPSv.exe
                        C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
                        C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
                        C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
                        C:\WINDOWS\System32\alg.exe
                        C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
                        C:\WINDOWS\system32\wuauclt.exe
                        E:\programmas\Hijack This\hijackthis.exe
                        C:\Program Files\IncrediMail\bin\IncMail.exe

                        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
                        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
                        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
                        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
                        O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
                        O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
                        O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
                        O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll
                        O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
                        O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
                        O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
                        O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
                        O4 - HKLM\..\Run: [Cmaudio] RunDll32 c:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\cmicnfg.cpl,CMICtrlWnd
                        O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
                        O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
                        O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
                        O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
                        O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
                        O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
                        O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
                        O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
                        O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
                        O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
                        O4 - Global Startup: hpoddt01.exe.lnk = ?
                        O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
                        O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
                        O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
                        O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
                        O8 - Extra context menu item: Figuur openen in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1043\phdintl.dll/phdContext.htm
                        O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\PopUpCop\popupcop.dll/imagenew
                        O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
                        O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
                        O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                        O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                        O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096121697063
                        O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactieve Training\o10c\mitm0026.cab

                        Comment


                        • #13
                          nog steeds fout in nieuwe log 8-12-04

                          T.A.V.Jahewi
                          volgende dag na opstarten nogmaals log gemaakt blijkt dat R1 toch nog steeds terug komt?de andere komen niet terug

                          Logfile of HijackThis v1.98.2
                          Scan saved at 8:55:25, on 8/12/2004
                          Platform: Windows XP SP2 (WinNT 5.01.2600)
                          MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

                          Running processes:
                          C:\WINDOWS\System32\smss.exe
                          C:\WINDOWS\system32\csrss.exe
                          C:\WINDOWS\system32\winlogon.exe
                          C:\WINDOWS\system32\services.exe
                          C:\WINDOWS\system32\lsass.exe
                          C:\WINDOWS\system32\svchost.exe
                          C:\WINDOWS\system32\svchost.exe
                          C:\WINDOWS\System32\svchost.exe
                          C:\WINDOWS\System32\svchost.exe
                          C:\WINDOWS\System32\svchost.exe
                          C:\WINDOWS\system32\spoolsv.exe
                          C:\WINDOWS\System32\Ati2evxx.exe
                          C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
                          C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
                          C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
                          C:\WINDOWS\Explorer.EXE
                          C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
                          C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
                          C:\WINDOWS\System32\svchost.exe
                          C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
                          C:\WINDOWS\system32\wdfmgr.exe
                          C:\Program Files\Common Files\Symantec Shared\ccApp.exe
                          C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
                          C:\Program Files\Messenger Plus! 3\MsgPlus.exe
                          C:\Program Files\Java\jre1.5.0\bin\jusched.exe
                          C:\WINDOWS\system32\ctfmon.exe
                          C:\Program Files\Messenger\msmsgs.exe
                          C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
                          C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
                          C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
                          C:\WINDOWS\System32\MsPMSPSv.exe
                          C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
                          C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
                          C:\PROGRA~1\INCRED~1\bin\IMApp.exe
                          C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
                          C:\Program Files\MSN Messenger\msnmsgr.exe
                          C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
                          C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
                          C:\WINDOWS\System32\alg.exe
                          C:\WINDOWS\system32\wuauclt.exe
                          E:\programmas\Hijack This\hijackthis.exe

                          R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.owkivunpkhcqimtehkqetgu.us/LkugQFFxXm2NnZEsQoe1MBgDyb2nRxaeyC30Le2JwPfEZy23C3XnBg9eKQxdqIA3.jpg
                          R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
                          R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
                          R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
                          R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
                          O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
                          O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
                          O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
                          O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll
                          O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
                          O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
                          O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
                          O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
                          O4 - HKLM\..\Run: [Cmaudio] RunDll32 c:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\cmicnfg.cpl,CMICtrlWnd
                          O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
                          O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
                          O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
                          O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
                          O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
                          O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
                          O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
                          O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
                          O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
                          O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
                          O4 - Global Startup: hpoddt01.exe.lnk = ?
                          O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
                          O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
                          O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
                          O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
                          O8 - Extra context menu item: Figuur openen in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1043\phdintl.dll/phdContext.htm
                          O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\PopUpCop\popupcop.dll/imagenew
                          O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
                          O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
                          O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                          O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                          O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096121697063
                          O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactieve Training\o10c\mitm0026.cab

                          Comment


                          • #14
                            Hoi Trebor,

                            De hijacker wordt blijkbaar constant door 1 van je beveiligings-programma's teruggezet.
                            StartPage-Guard is de meest voor de hand liggende dader

                            Deinstalleer dus eerst Startpage-Guard in Configuratiescherm > Software.

                            Open HijackThis en klik op 'Scan'.

                            Vink, in HijackThis, alleen de volgende regels aan:
                            R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.owkivunpkhcqimtehkqetgu....g9eKQxdqIA3.jpg

                            Sluit nu alle vensters, behalve HijackThis

                            Klik, in HijackThis, op 'fix checked'

                            Start daarna je computer opnieuw op en plaats nogmaals een nieuwe log, ter controle.


                            suk6, Jan
                            Proud member of UNITE (Unite Against Malware)
                            Beveiligings-tips - Pas op voor PUPs!

                            "If you think you are too small to be effective, you have never been in the dark with a moscuito"

                            Comment


                            • #15
                              Nieuwe HijackThis Log 9-12-2004

                              T.A.V. Jahewi

                              Startpage-Guard gedeinstalleerd > R1 searchbar terug gefixt > pc terug opgestart > R1 searchbar was nog steeds niet verwijderd na nieuwe log > Spy Sweeper gedeinstalleerd > R1 searchbar terug gefixt > pc terug opgestart > R1 searchbar was nu wel verwijderd na nieuwe log > dag nadien terug nieuwe log gemaakt R1 searchbar was nog steeds verwijderd.(hopelijk is mijn probleem nu opgelost)

                              Mag ik Startpage-Guard en Spy Sweeper nu terug installeren ???

                              Nieuwe HijackThis Log van 9-12-2004 >

                              Logfile of HijackThis v1.98.2
                              Scan saved at 10:25:29, on 9/12/2004
                              Platform: Windows XP SP2 (WinNT 5.01.2600)
                              MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

                              Running processes:
                              C:\WINDOWS\System32\smss.exe
                              C:\WINDOWS\system32\winlogon.exe
                              C:\WINDOWS\system32\services.exe
                              C:\WINDOWS\system32\lsass.exe
                              C:\WINDOWS\system32\svchost.exe
                              C:\WINDOWS\System32\svchost.exe
                              C:\WINDOWS\system32\spoolsv.exe
                              C:\WINDOWS\System32\Ati2evxx.exe
                              C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
                              C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
                              C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
                              C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
                              C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
                              C:\WINDOWS\System32\svchost.exe
                              C:\WINDOWS\System32\MsPMSPSv.exe
                              C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
                              C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
                              C:\WINDOWS\system32\wuauclt.exe
                              C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
                              C:\WINDOWS\Explorer.EXE
                              C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
                              C:\Program Files\Common Files\Symantec Shared\ccApp.exe
                              C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
                              C:\Program Files\Messenger Plus! 3\MsgPlus.exe
                              C:\Program Files\Java\jre1.5.0\bin\jusched.exe
                              C:\WINDOWS\system32\ctfmon.exe
                              C:\Program Files\Messenger\msmsgs.exe
                              C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
                              C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
                              C:\PROGRA~1\INCRED~1\bin\IMApp.exe
                              C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
                              C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
                              C:\Program Files\MSN Messenger\msnmsgr.exe
                              E:\programmas\Hijack This\hijackthis.exe

                              R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
                              R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
                              R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
                              R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
                              O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
                              O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
                              O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
                              O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll
                              O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
                              O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
                              O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
                              O4 - HKLM\..\Run: [Cmaudio] RunDll32 c:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\cmicnfg.cpl,CMICtrlWnd
                              O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
                              O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
                              O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
                              O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
                              O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
                              O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
                              O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
                              O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
                              O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
                              O4 - Global Startup: hpoddt01.exe.lnk = ?
                              O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
                              O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
                              O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
                              O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
                              O8 - Extra context menu item: Figuur openen in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1043\phdintl.dll/phdContext.htm
                              O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\PopUpCop\popupcop.dll/imagenew
                              O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
                              O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
                              O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                              O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                              O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096121697063
                              O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactieve Training\o10c\mitm0026.cab


                              Comment

                              Sorry, you are not authorized to view this page
                              Working...
                              X