Mededeling

Collapse
No announcement yet.

strippoker popups, free spyware scanning

Collapse
X
  •  
  • Filter
  • Tijd
  • Show
Clear All
new posts

  • strippoker popups, free spyware scanning

    Hey heb tegenwoordig last van strippoker popus. En popups voor "free spyware scanning" zelf als mijn internet explorer niet open is (wat hij meestal is, lang leve firefox)

    Ook heb ik een virus dat ik niet kan verwijderen: NTRootKit-H
    In veilige modus kan ik dit verwijderen maar bij herstarten komt dit steeds teug (system restore staat uit)


    Logfile of HijackThis v1.99.0
    Scan saved at 20:18:50, on 22/12/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\Windows\System32\smss.exe
    C:\Windows\system32\winlogon.exe
    C:\Windows\system32\services.exe
    C:\Windows\system32\lsass.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\Windows\system32\spoolsv.exe
    C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
    C:\Windows\Cpqdiag\Cpqdfwag.exe
    C:\Windows\System32\svchost.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\Webscanx.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    C:\Windows\System32\PROMon.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\System32\NotifyPhoneBook.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\Digital Imaging\Promotions\HPpromo.exe
    C:\Windows\System32\NMSSvc.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
    C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Compaq\EAKDRV\EAUSBKBD.EXE
    C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
    C:\Windows\System32\HPZipm12.exe
    C:\Windows\System32\unlodctl.exe
    C:\Windows\System32\nlsfuncs.exe
    C:\Windows\System32\openconf.exe
    C:\Documents and Settings\Jef\Desktop\hijackthis.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    O2 - BHO: (no name) - {F6C2A731-7C09-404A-9A1A-0479F1E0BFB9} - C:\Windows\System32\mshi.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
    O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
    O4 - HKLM\..\Run: [CloseDNF] C:\Windows\System32\Utility.exe \1008
    O4 - HKLM\..\Run: [winusb.dll] winguard.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [NeroCheck] C:\Windows\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HPpromo psc 1300 series] "C:\Program Files\HP\Digital Imaging\Promotions\HPpromo.exe" /N "psc 1300 series" -r
    O4 - HKLM\..\Run: [taskopen.exe] taskopen.exe
    O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
    O4 - HKLM\..\RunServices: [winusb.dll] winguard.exe
    O4 - HKLM\..\RunOnce: [qappsrvc32.exe] qappsrvc32.exe
    O4 - HKCU\..\Run: [Go And Start] svdll32.exe
    O4 - HKCU\..\Run: [winusb.dll] winguard.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O15 - Trusted Zone: http://*.search-soft.net

    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100770838125
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{959E91CA-8B89-40D6-B692-E42F33F61029}: NameServer = 195.238.2.21 195.238.2.22
    O23 - Service: AVSync Manager - Unknown - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
    O23 - Service: Compaq Remote Diagnostics Enabling Agent - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
    O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    O23 - Service: Intel(R) NMS - Intel Corporation - C:\Windows\System32\NMSSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\Windows\System32\HPZipm12.exe
    O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

  • #2
    Hoi.. je hebt een lastige te pakken.. dus is het belangrijk dat je mijn stappen echt goed opvolgt.

    * Download rem.zip. (credit to Baskar)
    Deze zipfile bevat 2 bestanden: remv3.bat en feach.com.
    Kopieer die bestanden naar de volgende map c:\windows\system32

    * Start nu je pc op in VEILIGE MODE. Hoe start ik in veilige mode op.

    Ga naar Start - Uitvoeren - en tik in:

    C:\WINDOWS\System32\remv3.bat


    Herstart de computer in normale modus.
    Zoek via Windows Verkenner naar het bestand C:\log.txt.
    Post de inhoud van log.txt samen met een nieuwe HijackThislog.
    Microsoft MVP - Consumer Security
    Director of Research @ Malwarebytes
    Mijn Blog

    Comment


    • #3
      Bedankt al voor je tijd, vermoed dat ik die dll nu in veilige modus moet verwijderen ?

      log.txt:


      Files Found.................
      ----------------------------------------

      Files Not deleted.................
      ----------------------------------------

      Merging registry entries
      -----------------------------------------------------------------
      The Registry Entries Found...
      -----------------------------------------------------------------


      Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
      -----------------------------------------------------------------
      msbc.dll
      mshi.dll
      msi.dll
      mspq.dll
      Finished



      HijackThis log

      Logfile of HijackThis v1.99.0
      Scan saved at 1:27:34, on 23/12/2004
      Platform: Windows XP SP1 (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

      Running processes:
      C:\Windows\System32\smss.exe
      C:\Windows\system32\csrss.exe
      C:\Windows\system32\winlogon.exe
      C:\Windows\system32\services.exe
      C:\Windows\system32\lsass.exe
      C:\Windows\system32\svchost.exe
      C:\Windows\System32\svchost.exe
      C:\Program Files\Sygate\SPF\smc.exe
      C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe
      C:\Windows\system32\spoolsv.exe
      C:\Windows\Explorer.EXE
      C:\Windows\System32\igfxtray.exe
      C:\Windows\System32\hkcmd.exe
      C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
      C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
      C:\Windows\System32\PROMon.exe
      C:\Windows\System32\rundll32.exe
      C:\Windows\System32\NotifyPhoneBook.exe
      C:\Program Files\QuickTime\qttask.exe
      C:\Program Files\HP\HP Software Update\HPWuSchd.exe
      C:\Program Files\HP\Digital Imaging\Promotions\HPpromo.exe
      C:\Program Files\MSN Messenger\msnmsgr.exe
      C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
      C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
      C:\Windows\Cpqdiag\Cpqdfwag.exe
      C:\Windows\System32\NMSSvc.exe
      C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
      C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
      C:\Compaq\EAKDRV\EAUSBKBD.EXE
      C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
      C:\Documents and Settings\Jef\Desktop\hijackthis.exe
      C:\Program Files\Network Associates\VirusScan\VsStat.exe
      C:\Windows\System32\svchost.exe
      C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
      C:\Program Files\Network Associates\VirusScan\Avconsol.exe
      C:\Program Files\Internet Explorer\iexplore.exe
      C:\Program Files\Network Associates\VirusScan\Webscanx.exe
      C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
      C:\Windows\System32\HPZipm12.exe
      C:\WINDOWS\System32\wbem\wmiprvse.exe
      C:\Windows\System32\wuauclt.exe
      C:\Windows\system32\drwtsn32.exe
      C:\Windows\System32\unlodctl.exe
      C:\Windows\System32\nlsfuncs.exe
      C:\Windows\System32\pentxpl.exe
      C:\Windows\System32\openconf.exe

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
      R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
      R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
      O2 - BHO: (no name) - {5EDA2C52-1A95-4F77-9F44-83DDC2E24A00} - C:\Windows\System32\msmn.dll
      O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
      O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
      O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
      O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
      O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
      O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
      O4 - HKLM\..\Run: [CloseDNF] C:\Windows\System32\Utility.exe \1008
      O4 - HKLM\..\Run: [winusb.dll] winguard.exe
      O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
      O4 - HKLM\..\Run: [NeroCheck] C:\Windows\System32\\NeroCheck.exe
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
      O4 - HKLM\..\Run: [HPpromo psc 1300 series] "C:\Program Files\HP\Digital Imaging\Promotions\HPpromo.exe" /N "psc 1300 series" -r
      O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
      O4 - HKLM\..\RunServices: [winusb.dll] winguard.exe
      O4 - HKCU\..\Run: [Go And Start] svdll32.exe
      O4 - HKCU\..\Run: [winusb.dll] winguard.exe
      O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
      O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
      O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
      O15 - Trusted Zone: http://*.search-soft.net
      O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
      O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100770838125
      O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
      O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
      O23 - Service: AVSync Manager - Unknown - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
      O23 - Service: Compaq Remote Diagnostics Enabling Agent - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
      O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
      O23 - Service: Intel(R) NMS - Intel Corporation - C:\Windows\System32\NMSSvc.exe
      O23 - Service: Pml Driver HPZ12 - HP - C:\Windows\System32\HPZipm12.exe
      O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

      Comment


      • #4
        Hmmm.. vreemd. Heb je die batch in veilige mode uitgevoerd zoals ik gevraagd heb? Ik denk het niet... Kopieer die 3 txtbestanden die in die rem-map staan ook maar eens naar de system32-map (alhoewel dit automatisch wordt gedaan)
        Nee, nooit op eigen houtje items gaan verwijderen!!

        * Download en installeer CCleaner
        Nog niet gebruiken

        * Zorg ervoor dat je verborgen mappen en bestanden weergegeven zijn. Hoe deze weer te geven.
        * Start hijackthis en vink volgende items aan:

        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
        R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
        R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
        R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
        O2 - BHO: (no name) - {5EDA2C52-1A95-4F77-9F44-83DDC2E24A00} - C:\Windows\System32\msmn.dll
        O4 - HKLM\..\Run: [winusb.dll] winguard.exe
        O4 - HKLM\..\RunServices: [winusb.dll] winguard.exe
        O4 - HKCU\..\Run: [Go And Start] svdll32.exe
        O4 - HKCU\..\Run: [winusb.dll] winguard.exe
        O15 - Trusted Zone: http://*.search-soft.net


        * Sluit alle open vensters behalve hijackthis en klik: Fix Checked.

        * Start nu je pc op in VEILIGE MODE. Hoe start ik in veilige mode op.

        Ga via configuratiescherm naar software > programma's wijzigen/verwijderen en kijk of volgende programma's aanwezig zijn en de-installeer die:

        * Zoek daarna via verkenner volgende items en verwijder deze manueel indien nog aanwezig:

        C:\Windows\System32\unlodctl.exe
        C:\Windows\System32\nlsfuncs.exe
        C:\Windows\System32\pentxpl.exe
        C:\Windows\System32\openconf.exe
        C:\Windows\System32\msbc.dll
        C:\Windows\System32\mshi.dll
        C:\Windows\System32\mspq.dll

        * Nog steeds in veilige mode: Ga naar Start - Uitvoeren - en tik in:

        C:\WINDOWS\System32\remv3.bat


        * Start Ccleaner en klik op Run Cleaner (rechts onderaan)

        * Reboot je pc terug normaal en post een nieuw hijackthislogje.
        Last edited by miekiemoes; 23-12-04, 06:20.
        Microsoft MVP - Consumer Security
        Director of Research @ Malwarebytes
        Mijn Blog

        Comment


        • #5
          Had opgestard in veilige modus, maar had die txtfiles er niet in gecopieerd.

          al de files buiten mshi.dll waren aanwezig en heb ik gedelete

          kreeg bij het opstarten wel een error dat hij
          qappsrvc32.exe niet kon vinden

          mijn hijackthis logfile

          Logfile of HijackThis v1.99.0
          Scan saved at 15:23:49, on 23/12/2004
          Platform: Windows XP SP1 (WinNT 5.01.2600)
          MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

          Running processes:
          C:\Windows\System32\smss.exe
          C:\Windows\system32\winlogon.exe
          C:\Windows\system32\services.exe
          C:\Windows\system32\lsass.exe
          C:\Windows\system32\svchost.exe
          C:\Windows\System32\svchost.exe
          C:\Program Files\Sygate\SPF\smc.exe
          C:\Windows\system32\spoolsv.exe
          C:\Windows\Explorer.EXE
          C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
          C:\Windows\Cpqdiag\Cpqdfwag.exe
          C:\Windows\System32\NMSSvc.exe
          C:\Windows\System32\svchost.exe
          C:\Program Files\Network Associates\VirusScan\VsStat.exe
          C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
          C:\Program Files\Network Associates\VirusScan\Avconsol.exe
          C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
          C:\Program Files\Network Associates\VirusScan\Webscanx.exe
          C:\Windows\System32\wuauclt.exe
          C:\Windows\System32\igfxtray.exe
          C:\Windows\System32\hkcmd.exe
          C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
          C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
          C:\Windows\System32\PROMon.exe
          C:\Windows\System32\rundll32.exe
          C:\Windows\System32\NotifyPhoneBook.exe
          C:\Program Files\QuickTime\qttask.exe
          C:\Program Files\HP\HP Software Update\HPWuSchd.exe
          C:\Program Files\HP\Digital Imaging\Promotions\HPpromo.exe
          C:\Program Files\MSN Messenger\msnmsgr.exe
          C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
          C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
          C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
          C:\Compaq\EAKDRV\EAUSBKBD.EXE
          C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
          C:\Windows\System32\HPZipm12.exe
          C:\Documents and Settings\Jef\Desktop\hijackthis.exe

          R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
          O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
          O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
          O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
          O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
          O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
          O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
          O4 - HKLM\..\Run: [CloseDNF] C:\Windows\System32\Utility.exe \1008
          O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
          O4 - HKLM\..\Run: [NeroCheck] C:\Windows\System32\\NeroCheck.exe
          O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
          O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
          O4 - HKLM\..\Run: [HPpromo psc 1300 series] "C:\Program Files\HP\Digital Imaging\Promotions\HPpromo.exe" /N "psc 1300 series" -r
          O4 - HKLM\..\Run: [taskopen.exe] taskopen.exe
          O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
          O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
          O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
          O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
          O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
          O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
          O15 - Trusted Zone: http://*.63.219.181.7

          O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
          O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100770838125
          O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
          O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
          O17 - HKLM\System\CCS\Services\Tcpip\..\{2B2991F1-123B-4FEA-96A4-8E6F4EDD585D}: NameServer = 69.50.166.94,69.31.80.244
          O17 - HKLM\System\CCS\Services\Tcpip\..\{959E91CA-8B89-40D6-B692-E42F33F61029}: NameServer = 69.50.166.94 69.31.80.244
          O17 - HKLM\System\CCS\Services\Tcpip\..\{9B0A9C42-E43D-4568-A5BF-570598530AF2}: NameServer = 69.50.166.94,69.31.80.244
          O23 - Service: AVSync Manager - Unknown - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
          O23 - Service: Compaq Remote Diagnostics Enabling Agent - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
          O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
          O23 - Service: Intel(R) NMS - Intel Corporation - C:\Windows\System32\NMSSvc.exe
          O23 - Service: Pml Driver HPZ12 - HP - C:\Windows\System32\HPZipm12.exe
          O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

          Comment


          • #6
            * Start hijackthis en vink volgende items aan:

            O4 - HKLM\..\Run: [taskopen.exe] taskopen.exe
            O15 - Trusted Zone: http://*.63.219.181.7


            * Sluit alle open vensters behalve hijackthis en klik: Fix Checked.

            Reboot!! Post daarna een nieuw hijackthislogje+logje van remv3.bat die je verkregen hebt na de laatste keer uitvoeren ervan.. (heb dit vergeten te vragen nl. )
            Last edited by miekiemoes; 23-12-04, 15:16.
            Microsoft MVP - Consumer Security
            Director of Research @ Malwarebytes
            Mijn Blog

            Comment


            • #7
              Logfile:

              Files Found.................
              ----------------------------------------
              spnping.exe
              qappsrvc32.exe
              dx9vbc.dll
              dnsauth.dll
              taskopen.exe

              Files Not deleted.................
              ----------------------------------------

              Merging registry entries
              -----------------------------------------------------------------
              The Registry Entries Found...
              -----------------------------------------------------------------


              Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
              -----------------------------------------------------------------
              hdfe.dll
              msef.dll
              msi.dll
              Finished


              Hijackthis:

              Logfile of HijackThis v1.99.0
              Scan saved at 16:33:35, on 23/12/2004
              Platform: Windows XP SP1 (WinNT 5.01.2600)
              MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

              Running processes:
              C:\Windows\System32\smss.exe
              C:\Windows\system32\winlogon.exe
              C:\Windows\system32\services.exe
              C:\Windows\system32\lsass.exe
              C:\Windows\system32\svchost.exe
              C:\Windows\System32\svchost.exe
              C:\Program Files\Sygate\SPF\smc.exe
              C:\Windows\system32\spoolsv.exe
              C:\Windows\Explorer.EXE
              C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
              C:\Windows\System32\igfxtray.exe
              C:\Windows\System32\hkcmd.exe
              C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
              C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
              C:\Windows\System32\PROMon.exe
              C:\Windows\Cpqdiag\Cpqdfwag.exe
              C:\Windows\System32\rundll32.exe
              C:\Windows\System32\NMSSvc.exe
              C:\Windows\System32\NotifyPhoneBook.exe
              C:\Program Files\QuickTime\qttask.exe
              C:\Program Files\HP\HP Software Update\HPWuSchd.exe
              C:\Program Files\HP\Digital Imaging\Promotions\HPpromo.exe
              C:\Program Files\MSN Messenger\msnmsgr.exe
              C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
              C:\Windows\System32\svchost.exe
              C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
              C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
              C:\Compaq\EAKDRV\EAUSBKBD.EXE
              C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
              C:\Program Files\Network Associates\VirusScan\VsStat.exe
              C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
              C:\Program Files\Network Associates\VirusScan\Avconsol.exe
              C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
              C:\Windows\System32\HPZipm12.exe
              C:\Program Files\Network Associates\VirusScan\Webscanx.exe
              C:\Program Files\Internet Explorer\iexplore.exe
              C:\Windows\System32\wuauclt.exe
              C:\Documents and Settings\Jef\Desktop\hijackthis.exe

              R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
              O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
              O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
              O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
              O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
              O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
              O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
              O4 - HKLM\..\Run: [CloseDNF] C:\Windows\System32\Utility.exe \1008
              O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
              O4 - HKLM\..\Run: [NeroCheck] C:\Windows\System32\\NeroCheck.exe
              O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
              O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
              O4 - HKLM\..\Run: [HPpromo psc 1300 series] "C:\Program Files\HP\Digital Imaging\Promotions\HPpromo.exe" /N "psc 1300 series" -r
              O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
              O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
              O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
              O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
              O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
              O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
              O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
              O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100770838125
              O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
              O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
              O17 - HKLM\System\CCS\Services\Tcpip\..\{2B2991F1-123B-4FEA-96A4-8E6F4EDD585D}: NameServer = 69.50.166.94,69.31.80.244
              O17 - HKLM\System\CCS\Services\Tcpip\..\{959E91CA-8B89-40D6-B692-E42F33F61029}: NameServer = 69.50.166.94 69.31.80.244
              O17 - HKLM\System\CCS\Services\Tcpip\..\{9B0A9C42-E43D-4568-A5BF-570598530AF2}: NameServer = 69.50.166.94,69.31.80.244
              O23 - Service: AVSync Manager - Unknown - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
              O23 - Service: Compaq Remote Diagnostics Enabling Agent - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
              O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
              O23 - Service: Intel(R) NMS - Intel Corporation - C:\Windows\System32\NMSSvc.exe
              O23 - Service: Pml Driver HPZ12 - HP - C:\Windows\System32\HPZipm12.exe
              O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

              Comment


              • #8
                Vanuit je vorige post af te leiden veronderstel ik dus dat je ook deze .dll's al hebt verwijderd uit je system32 ?:
                hdfe.dll
                msef.dll

                Indien niet, doet dat dan eerst even.
                Voor de rest is je logje terug schoon.
                Heb je nog problemen verder??

                Hoe zo'n toestanden voorkomen:

                Download en installeer alvast Hitman Pro
                Kijk op de site hoe je het programma juist moet instellen (screenshot aanwezig)
                Dit is een automatische tool die een volledige systeemscan doet met verschillende antispywarescanners zoals spybot s&d, adaware se, spysweeper.. Ook installeert het spywareblaster en configureert die automatisch voor je. Je hoeft gewoon niks te doen, Hitman Pro doet dit allemaal automatisch voor je, alsook het updaten van je antispywarescanners. Laat Hitman Pro regelmatig runnen.

                En kies eventueel een alternatieve browser zoals Firefox.

                En ik raad je ook aan om af en toe een online virusscan uit te voeren. housecall en/of Bitdefender. Want, wat de ene scanner niet kan vinden, kan een andere misschien wel.
                Zorg er ook voor dat je virusscanner die op je systeem geïnstalleerd is altijd up to date is!!

                En... geregeld eens een bezoekje brengen aan: http://windowsupdate.microsoft.com/

                Bekijk ook eens deze 2 filmpjes.. Heel interessant:
                http://www2.trosradar.nl/mediaplayer...&mode=dossier#
                http://www.benedelman.org/spyware/security-111804.wmv

                Happy surfing again!
                Microsoft MVP - Consumer Security
                Director of Research @ Malwarebytes
                Mijn Blog

                Comment


                • #9
                  Denk dat mijn virusscanner deze verwijderd heeft.

                  Ben al een gebruiker van firefox (enkel als het niet anders kan)

                  Hitman pro ga ik direct is na kijken

                  Virusscanner staat geinstalleerd (heeft enkel een paar dagen afgestaan)

                  En windows.update.com bezoek ik regelmatig (gemiddeld 1 keer per 2 weken)
                  Enkel service pack 2 wil ik niet installeren

                  Bedankt voor je hulp

                  Comment


                  • #10
                    Graag gedaan hoor... Enne, laat je virusscanner maar altijd aan staan.
                    Microsoft MVP - Consumer Security
                    Director of Research @ Malwarebytes
                    Mijn Blog

                    Comment

                    Sorry, you are not authorized to view this page
                    Working...
                    X