Mededeling

Collapse
No announcement yet.

Log 24-12-04

Collapse
X
  •  
  • Filter
  • Tijd
  • Show
Clear All
new posts

  • Log 24-12-04

    Beste mensen,

    Gescand met Adaware en Spybot. Nu hijackthis gedaan, kan iemand naar dit log kijken?
    Alvast bedankt...

    Logfile of HijackThis v1.99.0
    Scan saved at 17:24:18, on 24-12-04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2919.6304)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\USBMONIT.EXE
    C:\WINDOWS\SYSTEM\IGFXTRAY.EXE
    C:\WINDOWS\SYSTEM\HKCMD.EXE
    C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
    C:\WINDOWS\SYSTEM\5FMP9ZPP5FNMZTHD.EXE
    C:\XKGUQEYD.EXE
    C:\PROGRAM FILES\SPYBLOCS\SPYBLOCS.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\POP3TRAP.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\WEBTRAP.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\0TMNRXB1FBZC8.EXE
    C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=31130123321001
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=31130123321001
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=31130123321001
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31130123321001
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.nl
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\GFWVSN~1.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\SYSTEM\5FMP9ZPP5FNMZTHD.EXE
    O4 - HKLM\..\Run: [MyPS1U] C:\XKGUQEYD.EXE
    O4 - HKLM\..\Run: [SpyBlocs] C:\PROGRAM FILES\SPYBLOCS\SpyBlocs.exe
    O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - HKLM\..\Run: [pop3trap.exe] "C:\Program Files\Trend PC-cillin 2000\pop3trap.exe"
    O4 - HKLM\..\Run: [WebTrap.exe] "C:\Program Files\Trend PC-cillin 2000\WebTrap.exe"
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" "+b1"
    O4 - HKCU\..\Run: [romahere3] C:\WINDOWS\SYSTEM\0TMNRXB1FBZC8.EXE
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O14 - IERESET.INF: SEARCH_PAGE_URL=
    O14 - IERESET.INF: START_PAGE_URL=

    Rudie

  • #2
    Hallo Rudie,


    1. Verwijder SpyBlocs. Dat programma staat op de zwarte lijst van slechte, onbetrouwbare spywarescanners: http://www.spywarewarrior.com/rogue_anti-spyware.htm

    2. Scan met HijackThis en vink de volgende items aan:
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=31130123321001
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=31130123321001
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=31130123321001
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31130123321001
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\GFWVSN~1.DLL

    O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\SYSTEM\5FMP9ZPP5FNMZTHD.EXE
    O4 - HKLM\..\Run: [MyPS1U] C:\XKGUQEYD.EXE
    O4 - HKLM\..\Run: [SpyBlocs] C:\PROGRAM FILES\SPYBLOCS\SpyBlocs.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKCU\..\Run: [romahere3] C:\WINDOWS\SYSTEM\0TMNRXB1FBZC8.EXE

    O14 - IERESET.INF: SEARCH_PAGE_URL=
    O14 - IERESET.INF: START_PAGE_URL=
    Sluit alle vensters behalve HijackThis zelf en klik op "Fix checked".

    3. Herstart de pc in veilige modus.
    Mocht je niet weten hoe dat moet, kijk dan hier even: http://www.virushelp.nl/veilige_modus.htm

    Zorg ervoor dat verborgen bestanden en mappen worden weergegeven.
    Hier kun je lezen hoe dat moet: http://users.telenet.be/marcvn/spyware/1117602.htm

    Verwijder nu, in veilige modus dus, de volgende bestanden en mappen (voor zover nog aanwezig):

    C:\XKGUQEYD.EXE <- dat bestand
    C:\WINDOWS\SYSTEM\5FMP9ZPP5FNMZTHD.EXE <- dat bestand
    C:\WINDOWS\SYSTEM\0TMNRXB1FBZC8.EXE <- dat bestand
    C:\PROGRAM FILES\ISTSVC <- die map

    4. Herstart de pc in 'normale modus'.

    5. Doe een volledige scan met AdAware SE. Let op: AdAware 6 is verouderd. Installeer AdAware SE dus, doe er een volledige scan mee en laat alles verwijderen wat wordt gevonden: http://www.nucia.eu/adaware/handleiding.html
    Start daarna de pc opnieuw op.

    6. Maak een nieuw HijackThis-log en plaats dat hier.

    Comment


    • #3
      He Buffy,

      Ik heb gedaan wat je zei, alleen is er een hoop terug gekomen omdat ik steeds mijn compu moet herstarten. Omdat in veilige modus mijn muis niet wordt gedetecteerd, moest dit nou eenmaal. Ik herken bijvoorbeeld die startpagina en die andere dingen die onderin de log staan. Ik denk dat het na deze keer wel zal lukken, dus als je nog even geduld hebt met me.

      Groeten Rudie.

      Logfile of HijackThis v1.99.0
      Scan saved at 22:17:01, on 24-12-04
      Platform: Windows 98 SE (Win9x 4.10.2222A)
      MSIE: Internet Explorer v5.00 (5.00.2919.6304)

      Running processes:
      C:\WINDOWS\SYSTEM\KERNEL32.DLL
      C:\WINDOWS\SYSTEM\MSGSRV32.EXE
      C:\WINDOWS\SYSTEM\MPREXE.EXE
      C:\WINDOWS\SYSTEM\mmtask.tsk
      C:\WINDOWS\SYSTEM\MDM.EXE
      C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE
      C:\WINDOWS\SYSTEM\HIDSERV.EXE
      C:\WINDOWS\EXPLORER.EXE
      C:\WINDOWS\TASKMON.EXE
      C:\WINDOWS\SYSTEM\SYSTRAY.EXE
      C:\WINDOWS\SYSTEM\USBMONIT.EXE
      C:\WINDOWS\SYSTEM\IGFXTRAY.EXE
      C:\WINDOWS\SYSTEM\HKCMD.EXE
      C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
      C:\PROGRAM FILES\TREND PC-CILLIN 2000\POP3TRAP.EXE
      C:\PROGRAM FILES\TREND PC-CILLIN 2000\WEBTRAP.EXE
      C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
      C:\WINDOWS\SYSTEM\DDHELP.EXE
      C:\WINDOWS\SYSTEM\WMIEXE.EXE
      C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
      C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
      C:\WINDOWS\TEMP\HIJACKTHIS.EXE

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31130123321001
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.nl
      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
      O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\ZS73VN~1.DLL
      O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
      O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
      O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
      O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
      O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
      O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
      O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
      O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
      O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
      O4 - HKLM\..\Run: [pop3trap.exe] "C:\Program Files\Trend PC-cillin 2000\pop3trap.exe"
      O4 - HKLM\..\Run: [WebTrap.exe] "C:\Program Files\Trend PC-cillin 2000\WebTrap.exe"
      O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\SYSTEM\5FMP9ZPP5FNMZTHD.EXE
      O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
      O4 - HKLM\..\Run: [MyPS1U] C:\XKGUQEYD.EXE
      O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
      O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
      O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
      O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
      O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
      O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
      O14 - IERESET.INF: SEARCH_PAGE_URL=
      O14 - IERESET.INF: START_PAGE_URL=

      Comment


      • #4
        1. Scan met HijackThis en vink de volgende items aan:
        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31130123321001
        R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
        R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

        O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\ZS73VN~1.DLL

        O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\SYSTEM\5FMP9ZPP5FNMZTHD.EXE
        O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
        O4 - HKLM\..\Run: [MyPS1U] C:\XKGUQEYD.EXE

        O14 - IERESET.INF: SEARCH_PAGE_URL=
        O14 - IERESET.INF: START_PAGE_URL=
        Sluit alle vensters behalve HijackThis zelf en klik op "Fix checked".

        2. Start de pc opnieuw op.

        3. Download en installeer CCleaner: http://www.ccleaner.com/
        Start dit programma, klik op de knop "Run Cleaner".

        4. Start de pc opnieuw op, maak een nieuw HijackThis-log en plaats dat hier.

        Comment


        • #5
          Alles gedaan en gedownload. Niet eens opnieuw hoeven opstarten.

          Hierbij mijn nieuwe log.

          Logfile of HijackThis v1.99.0
          Scan saved at 23:39:58, on 24-12-04
          Platform: Windows 98 SE (Win9x 4.10.2222A)
          MSIE: Internet Explorer v5.00 (5.00.2919.6304)

          Running processes:
          C:\WINDOWS\SYSTEM\KERNEL32.DLL
          C:\WINDOWS\SYSTEM\MSGSRV32.EXE
          C:\WINDOWS\SYSTEM\MPREXE.EXE
          C:\WINDOWS\SYSTEM\mmtask.tsk
          C:\WINDOWS\SYSTEM\MDM.EXE
          C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE
          C:\WINDOWS\SYSTEM\HIDSERV.EXE
          C:\WINDOWS\EXPLORER.EXE
          C:\WINDOWS\TASKMON.EXE
          C:\WINDOWS\SYSTEM\SYSTRAY.EXE
          C:\WINDOWS\SYSTEM\USBMONIT.EXE
          C:\WINDOWS\SYSTEM\IGFXTRAY.EXE
          C:\WINDOWS\SYSTEM\HKCMD.EXE
          C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
          C:\PROGRAM FILES\TREND PC-CILLIN 2000\POP3TRAP.EXE
          C:\PROGRAM FILES\TREND PC-CILLIN 2000\WEBTRAP.EXE
          C:\WINDOWS\SYSTEM\DDHELP.EXE
          C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
          C:\WINDOWS\SYSTEM\WMIEXE.EXE
          C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
          C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
          C:\WINDOWS\TEMP\HIJACKTHIS.EXE

          R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.nl
          R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
          R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
          R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
          O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
          O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
          O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
          O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
          O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
          O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
          O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
          O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
          O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
          O4 - HKLM\..\Run: [pop3trap.exe] "C:\Program Files\Trend PC-cillin 2000\pop3trap.exe"
          O4 - HKLM\..\Run: [WebTrap.exe] "C:\Program Files\Trend PC-cillin 2000\WebTrap.exe"
          O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
          O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
          O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
          O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
          O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
          O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
          O14 - IERESET.INF: SEARCH_PAGE_URL=
          O14 - IERESET.INF: START_PAGE_URL=

          Hoop da ie nu schoon is.

          Tnx

          Comment


          • #6
            Ziet er goed uit. Heb je nog problemen?

            Ga zo snel mogelijk naar WindowsUpdate om Internet Explorer naar versie 6.00 te upgraden. Jij internet nog met versie 5.00, die erg verouderd is en boordevol lekken zit waar deze hijackers heel gemakkelijk misbruik van kunnen maken. Zorg dat je zo spoedig mogelijk versie 6.00 installeert, dit is echt heel belangrijk.

            Neem ook deze pagina's eens door:
            http://www.nucia.eu/forum/showthread.php?t=55
            http://www.nucia.eu/main/spyware_hoevoorkom.html

            Comment

            Sorry, you are not authorized to view this page
            Working...
            X