Mededeling

Collapse
No announcement yet.

Pop-ups, worm (mabuta) en trojan horses (istbar?)

Collapse
X
  •  
  • Filter
  • Tijd
  • Show
Clear All
new posts

  • Pop-ups, worm (mabuta) en trojan horses (istbar?)

    Logfile of HijackThis v1.99.0
    Scan saved at 16:33:02, on 27-12-2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\Linksts.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\ewupdater.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    C:\download\hijack\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/search?hl=nl&ie=UTF-8&q=jelletink&lr=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.easywebsearch.nl
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = C:\WINDOWS\System32\ms7531.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Wanadoo
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-proxy.wanadoo.nl:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.wanadoo.nl;signup.wanadoo.nl;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    F1 - win.ini: run=C:\WESTWOOD\REDALERT\INSTICON.EXE C:\WESTWOOD\REDALERT\INSTICON.EXE C:\WESTWOOD\REDALERT\INSTICON.EXE C:\WESTWOOD\REDALERT\INSTICON.EXE
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ISDN Monitor] Linksts.exe W 1024
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [ewupdater] C:\WINDOWS\ewupdater.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [winupdt] RUNDLL32.EXE c:\windows\bjfsivba.dll,_mainRD
    O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
    O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Wanadoo Menu] C:\Program Files\Wanadoo\NL\Mnu\IGOMNU.EXE /S:T
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Gelijkwaardige pagina's - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Koppelingspagina's - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/vet_install_popup.pl?1&04.00.05.04&http://www9.volvo.com/truck/3dtruckconfigurator2/all/fh16.asp
    O16 - DPF: {1230CB21-C88D-11CF-0000-000000000000} - http://nl.browserupdate.co.uk/cabs/nl0001/nliq0001.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {214868A8-F71B-473E-8ECF-6EE1DE6B91D8} - http://pms.localscripts.nl/plugins/5/ms7531_nl.cab
    O16 - DPF: {3F2705D0-C9D8-4020-A15C-E495A0050EC6} (Easywebinstaller Control) - http://s7.blingblingcontent.com/toolbarcash/activex/easywebinstaller.ocx
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021126/qtinstall.info.apple.com/sikes/nl/win/QuickTimeInstaller.exe
    O16 - DPF: {4E15D681-0000-0000-0000-000000000000} - http://www.euroklik.nl/plugins_met_herhaal_bezoek/pacmannl205.exe
    O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://www.erototaal.nl/plugin/****clubnl013.exe
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {6211AC26-A1B4-422A-AC52-1E70B7D24465} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/nl/filesharingctrl.cab
    O16 - DPF: {A9FD89D6-C839-11D3-B0FE-0050044B8FE9} (OBInstallRunner Control) - http://www.opinionbar.com/download/resources/OBInstallCabinet.CAB
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/shockwave/stx/install.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://player.virtools.com/downloads/player/Install3.0/Installer.exe
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
    O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.3.1.2083/bin/imvid.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by14fd.bay14.hotmail.msn.com/activex/HMAtchmt.ocx
    O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: WinTools for IE service - Unknown - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

  • #2
    Hi mjansma,

    Je hebt een enorme hoeveelheid rotzooi draaien! Dit moeten we in verschillende fases uitvoeren.

    Download Ad-aware SE en update het (Wereldbol ikoon, daarna Connect). Klik op "Perform Full System Scan". Ontvink "Search for negligible risk entries" en klik op "Next". Verwijder alles dat AdAware vindt.

    Herstart je computer en scan nog een keer. Herhaal dit totdat AdAware niets meer vindt.

    Download SpyBot S+D.
    Na installatie, klik op "Search for Updates" en download wat het programma vindt.
    Klik op "Search & Destroy" en op "Check for problems". Verwijder wat het vindt.

    Laat je computer checken op deze sites:

    Housecall Anti Virus Panda Anti Virus Trojan Scan

    En dit is de link naar McAfee AVERT Stinger met instrukties voor gebruik.

    Zet een vink bij "Auto Clean" voor je gaat scannen.Als het iets niet kan schoonmaken laat het het dan verwijderen of noteer de plaats zodat je het zelf kan verwijderen.

    Download LSPfix vanaf dit adres: http://www.nucia.eu/expertzone/lspfix.html
    Start het programma, en klik op de "I know what I'm doing" checkbox.
    Kruis alle instances van [aklsp.dll](en niets anders!) aan, en verplaats ze naar het "Remove" paneel.
    Klik op "Finish"en herstart de computer.

    Download de bijlage en opak het uit. Binnen in dit bestand is een batch file genaamd Find.bat. Dit bestand maakt een log, post dit.

    Post ook een log van HijackThis.
    Bijgevoegde Bestanden

    Comment


    • #3
      Warning! This utility will find legitimate files in addition to malware.
      Do not remove anything unless you are sure you know what you're doing.

      Find.bat is running from: C:\download\anti-virus\Find It NT-2K-XP

      ------- System Files in System32 Directory -------
      Het volume in station C heeft geen naam.
      Het volumenummer is DC8C-9BB8

      Map van C:\WINDOWS\System32

      31-12-2004 10:42 224.484 guard.tmp
      31-12-2004 00:45 224.505 k6620gjoe6oc0.dll
      30-12-2004 09:40 222.722 ijmui.dll
      24-12-2004 20:47 224.471 hrrq0595e.dll
      23-12-2004 14:27 14.084 KGyGaAvL.sys
      16-12-2004 17:39 224.738 lvpu0979e.dll
      16-12-2004 11:09 226.271 jtp2077oe.dll
      16-12-2004 11:09 223.128 en48l1hu1.dll
      15-12-2004 21:33 225.891 irr0l59m1.dll
      08-12-2004 00:06 224.643 i260lcjm1foa.dll
      07-12-2004 14:37 224.346 k2620cjoefoc0.dll
      07-12-2004 14:35 223.533 m246lchs1f46.dll
      06-12-2004 21:39 223.210 h62o0gf3e62.dll
      01-12-2004 01:19 222.524 dnr8019ue.dll
      27-11-2004 11:57 223.397 mvpul9791.dll
      30-10-2004 14:26 56 613F71FE66.sys
      30-10-2004 14:26 56 3AD086D160.sys
      24-01-2003 01:04 <DIR> Microsoft
      22-01-2003 16:37 <DIR> dllcache
      17 bestand(en) 3.152.059 bytes
      2 map(pen) 9.076.703.232 bytes beschikbaar

      ------- Hidden Files in System32 Directory -------

      Het volume in station C heeft geen naam.
      Het volumenummer is DC8C-9BB8

      Map van C:\WINDOWS\System32

      23-12-2004 14:27 14.084 KGyGaAvL.sys
      30-10-2004 14:26 56 613F71FE66.sys
      30-10-2004 14:26 56 3AD086D160.sys
      08-09-2004 20:06 488 WindowsLogon.manifest
      08-09-2004 20:06 488 logonui.exe.manifest
      08-09-2004 20:05 749 cdplayer.exe.manifest
      08-09-2004 20:05 749 ncpa.cpl.manifest
      08-09-2004 20:05 749 nwc.cpl.manifest
      08-09-2004 20:05 749 sapi.cpl.manifest
      08-09-2004 20:05 749 wuaucpl.cpl.manifest
      23-12-2003 16:37 <DIR> GroupPolicy
      22-01-2003 16:37 <DIR> dllcache
      10 bestand(en) 18.917 bytes
      2 map(pen) 9.076.686.848 bytes beschikbaar

      ---------- Files Named "Guard" -------------

      Het volume in station C heeft geen naam.
      Het volumenummer is DC8C-9BB8

      Map van C:\WINDOWS\System32

      31-12-2004 10:42 224.484 guard.tmp
      1 bestand(en) 224.484 bytes
      0 map(pen) 9.076.670.464 bytes beschikbaar

      --------- Temp Files in System32 Directory --------

      Het volume in station C heeft geen naam.
      Het volumenummer is DC8C-9BB8

      Map van C:\WINDOWS\System32

      31-12-2004 10:42 224.484 guard.tmp
      07-09-2001 12:00 2.845 CONFIG.TMP
      2 bestand(en) 227.329 bytes
      0 map(pen) 9.076.654.080 bytes beschikbaar

      ---------------- User Agent ------------

      REGEDIT4

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
      "{ED3C5821-E494-479F-96A6-61765C688213}"=""


      ------------ Keys Under Notify ------------

      REGEDIT4

      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
      "Asynchronous"=dword:00000000
      "Impersonate"=dword:00000000
      "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
      "Logoff"="ChainWlxLogoffEvent"

      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
      "Asynchronous"=dword:00000000
      "Impersonate"=dword:00000000
      "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
      "Logoff"="CryptnetWlxLogoffEvent"

      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
      "DLLName"="cscdll.dll"
      "Logon"="WinlogonLogonEvent"
      "Logoff"="WinlogonLogoffEvent"
      "ScreenSaver"="WinlogonScreenSaverEvent"
      "Startup"="WinlogonStartupEvent"
      "Shutdown"="WinlogonShutdownEvent"
      "StartShell"="WinlogonStartShellEvent"
      "Impersonate"=dword:00000000
      "Asynchronous"=dword:00000001

      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
      "DLLName"="wlnotify.dll"
      "Logon"="SCardStartCertProp"
      "Logoff"="SCardStopCertProp"
      "Lock"="SCardSuspendCertProp"
      "Unlock"="SCardResumeCertProp"
      "Enabled"=dword:00000001
      "Impersonate"=dword:00000001
      "Asynchronous"=dword:00000001

      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
      "Asynchronous"=dword:00000000
      "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
      "Impersonate"=dword:00000000
      "StartShell"="SchedStartShell"
      "Logoff"="SchedEventLogOff"

      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
      "Logoff"="WLEventLogoff"
      "Impersonate"=dword:00000000
      "Asynchronous"=dword:00000001
      "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
      "DLLName"="WlNotify.dll"
      "Lock"="SensLockEvent"
      "Logon"="SensLogonEvent"
      "Logoff"="SensLogoffEvent"
      "Safe"=dword:00000001
      "MaxWait"=dword:00000258
      "StartScreenSaver"="SensStartScreenSaverEvent"
      "StopScreenSaver"="SensStopScreenSaverEvent"
      "Startup"="SensStartupEvent"
      "Shutdown"="SensShutdownEvent"
      "StartShell"="SensStartShellEvent"
      "PostShell"="SensPostShellEvent"
      "Disconnect"="SensDisconnectEvent"
      "Reconnect"="SensReconnectEvent"
      "Unlock"="SensUnlockEvent"
      "Impersonate"=dword:00000001
      "Asynchronous"=dword:00000001

      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellServiceObjectDelayLoad]
      "Asynchronous"=dword:00000000
      "DllName"="C:\\WINDOWS\\system32\\gp82l3lo1.dll"
      "Impersonate"=dword:00000000
      "Logon"="WinLogon"
      "Logoff"="WinLogoff"
      "Shutdown"="WinShutdown"

      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
      "Asynchronous"=dword:00000000
      "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
      "Impersonate"=dword:00000000
      "Logoff"="TSEventLogoff"
      "Logon"="TSEventLogon"
      "PostShell"="TSEventPostShell"
      "Shutdown"="TSEventShutdown"
      "StartShell"="TSEventStartShell"
      "Startup"="TSEventStartup"
      "MaxWait"=dword:00000258
      "Reconnect"="TSEventReconnect"
      "Disconnect"="TSEventDisconnect"

      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
      "DLLName"="wlnotify.dll"
      "Logon"="RegisterTicketExpiredNotificationEvent"
      "Logoff"="UnregisterTicketExpiredNotificationEvent"
      "Impersonate"=dword:00000001
      "Asynchronous"=dword:00000001


      ------------------ Locate.com Results ------------------

      C:\WINDOWS\SYSTEM32\
      ijmui.dll Thu 30 Dec 2004 9:40:10 ..S.R 222.722 217,50 K
      kgygaavl.sys Thu 23 Dec 2004 14:27:56 A.SH. 14.084 13,75 K
      irr0l5~1.dll Wed 15 Dec 2004 21:33:00 ..S.R 225.891 220,59 K
      613f71~1.sys Sat 30 Oct 2004 14:26:06 ..SHR 56 0,05 K
      m246lc~1.dll Tue 7 Dec 2004 14:35:58 ..S.R 223.533 218,29 K
      k2620c~1.dll Tue 7 Dec 2004 14:37:24 ..S.R 224.346 219,09 K
      i260lc~1.dll Wed 8 Dec 2004 0:06:06 ..S.R 224.643 219,38 K
      3ad086~1.sys Sat 30 Oct 2004 14:26:04 ..SHR 56 0,05 K
      mvpul9~1.dll Sat 27 Nov 2004 11:57:44 ..S.R 223.397 218,16 K
      h62o0g~1.dll Mon 6 Dec 2004 21:39:02 ..S.R 223.210 217,98 K
      dnr801~1.dll Wed 1 Dec 2004 1:19:58 ..S.R 222.524 217,31 K
      en48l1~1.dll Thu 16 Dec 2004 11:09:18 ..S.R 223.128 217,90 K
      jtp207~1.dll Thu 16 Dec 2004 11:09:20 ..S.R 226.271 220,96 K
      lvpu09~1.dll Thu 16 Dec 2004 17:39:48 ..S.R 224.738 219,47 K
      hrrq05~1.dll Fri 24 Dec 2004 20:47:18 ..S.R 224.471 219,21 K
      guard.tmp Fri 31 Dec 2004 10:42:36 ..S.R 224.484 219,22 K
      k6620g~1.dll Fri 31 Dec 2004 0:45:18 ..S.R 224.505 219,24 K

      17 items found: 17 files, 0 directories.
      Total of file sizes: 3.152.059 bytes 3,00 M

      ------------ Strings.exe Qoologic Results ------------

      C:\WINDOWS\system32\pav.sig: Qoologic
      C:\WINDOWS\system32\pav.sig: Qoologic

      -------------- Strings.exe Aspack Results -------------

      C:\WINDOWS\system32\pav.sig: AsPack

      ----------------- HKLM Run Key ------------------

      REGEDIT4

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "ISDN Monitor"="Linksts.exe W 1024"
      "SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
      "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
      "MessengerPlus3"="\"C:\\Program Files\\Messenger Plus! 3\\MsgPlus.exe\""
      "ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
      "Installed"="1"

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
      "Installed"="1"
      "NoChange"="1"

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
      "Installed"="1"


      

      Comment


      • #4
        Logfile of HijackThis v1.99.0
        Scan saved at 12:10:04, on 31-12-2004
        Platform: Windows XP (WinNT 5.01.2600)
        MSIE: Internet Explorer v6.00 (6.00.2600.0000)

        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\system32\spoolsv.exe
        C:\WINDOWS\System32\Linksts.exe
        C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
        C:\Program Files\Common Files\Real\Update_OB\realsched.exe
        C:\Program Files\Messenger Plus! 3\MsgPlus.exe
        C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
        C:\WINDOWS\System32\ctfmon.exe
        C:\Program Files\MSN Messenger\msnmsgr.exe
        C:\Program Files\Skype\Phone\Skype.exe
        C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
        C:\WINDOWS\System32\tcpsvcs.exe
        C:\WINDOWS\System32\snmp.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\System32\devldr32.exe
        C:\WINDOWS\System32\wuauclt.exe
        C:\WINDOWS\system32\rundll32.exe
        C:\WINDOWS\explorer.exe
        C:\Program Files\Internet Explorer\iexplore.exe
        C:\PROGRA~1\WINZIP\winzip32.exe
        C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
        C:\WINDOWS\system32\NOTEPAD.EXE
        C:\download\hijack\HijackThis.exe

        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/search?hl=nl&ie=UTF-8&q=jelletink&lr=
        R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.easywebsearch.nl
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = C:\WINDOWS\System32\ms7531.html
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Wanadoo
        R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-proxy.wanadoo.nl:8080
        R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.wanadoo.nl;signup.wanadoo.nl;<local>
        R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
        R3 - Default URLSearchHook is missing
        F1 - win.ini: run=C:\WESTWOOD\REDALERT\INSTICON.EXE C:\WESTWOOD\REDALERT\INSTICON.EXE C:\WESTWOOD\REDALERT\INSTICON.EXE C:\WESTWOOD\REDALERT\INSTICON.EXE
        O1 - Hosts: 69.20.16.183 ieautosearch
        O1 - Hosts: 69.20.16.183 auto.search.msn.com
        O1 - Hosts: 69.20.16.183 search.netscape.com
        O1 - Hosts: 69.20.16.183 ieautosearch
        O1 - Hosts: 69.20.16.183 ieautosearch
        O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
        O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
        O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
        O4 - HKLM\..\Run: [ISDN Monitor] Linksts.exe W 1024
        O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
        O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
        O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
        O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
        O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
        O4 - HKCU\..\Run: [Wanadoo Menu] C:\Program Files\Wanadoo\NL\Mnu\IGOMNU.EXE /S:T
        O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
        O4 - HKCU\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
        O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
        O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
        O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
        O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
        O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
        O8 - Extra context menu item: Gelijkwaardige pagina's - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
        O8 - Extra context menu item: Koppelingspagina's - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
        O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
        O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
        O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
        O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
        O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
        O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
        O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&4&04.00.08.43&unknown&unknown&http://www.volvocars.nl/Showroom/V50/Prijs+en+Fotos/V503D.htm
        O16 - DPF: {1230CB21-C88D-11CF-0000-000000000000} - http://nl.browserupdate.co.uk/cabs/nl0001/nliq0001.cab
        O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
        O16 - DPF: {214868A8-F71B-473E-8ECF-6EE1DE6B91D8} - http://pms.localscripts.nl/plugins/5/ms7531_nl.cab
        O16 - DPF: {3F2705D0-C9D8-4020-A15C-E495A0050EC6} (Easywebinstaller Control) - http://s7.blingblingcontent.com/toolbarcash/activex/easywebinstaller.ocx
        O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021126/qtinstall.info.apple.com/sikes/nl/win/QuickTimeInstaller.exe
        O16 - DPF: {4E15D681-0000-0000-0000-000000000000} - http://www.euroklik.nl/plugins_met_herhaal_bezoek/pacmannl205.exe
        O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://www.erototaal.nl/plugin/****clubnl013.exe
        O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
        O16 - DPF: {6211AC26-A1B4-422A-AC52-1E70B7D24465} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/nl/filesharingctrl.cab
        O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
        O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
        O16 - DPF: {A9FD89D6-C839-11D3-B0FE-0050044B8FE9} (OBInstallRunner Control) - http://www.opinionbar.com/download/resources/OBInstallCabinet.CAB
        O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/shockwave/stx/install.cab
        O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
        O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
        O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://player.virtools.com/downloads/player/Install3.0/Installer.exe
        O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
        O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.3.1.2083/bin/imvid.cab
        O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by14fd.bay14.hotmail.msn.com/activex/HMAtchmt.ocx
        O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
        O23 - Service: WinTools for IE service - Unknown - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

        Comment


        • #5
          Met Ad-Aware blijf ik zitten met een VX2, ook na meerdere malen gescand en opnieuw opgestart te hebben. De Mabuta-worm ben ik geloof ik kwijt, net zoals die Istbar. Krijg er tenminste geen melding meer van.

          Comment


          • #6
            Hi mjansma,

            Open het Configuratiescherm, dan "Software" en "Programma's wijzigen of verwijderen". Selecteer de volgende onderdelen en klik op "Verwijderen" voor elk van deze:
            • Viewpoint Media Player


            Start Kladblok, en kopieer en plak de tekst hieronder in een nieuw bestand. Sla dit op als fixme.reg op het bureaublad.

            REGEDIT4

            [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
            "{ED3C5821-E494-479F-96A6-61765C688213}"=-
            [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellServiceObjectDelayLoad]
            Zoek fixme.reg op het bureaublad en dubbelklik hierop.
            Er wordt iets gevraagd in de trant van "Weet je zeker dat dit aan het register wil toevoegen?". Antwoord "Ja" en wacht op een boodschap lijkend op "Gegevens zijn toegevoegd".

            Download Killbox van Option^Explicit. Pak het uit en dubbelklik op Killbox.exe om het uit te voeren. Klik op "Delete on Reboot", in het vak "Full Path of File to Delete" vul je C:\WINDOWS\System32\guard.tmp in en klik je op de knop met het witte kruis in de rode cirkel. Je krijgt de vraag "File will be Deleted on Next Reboot". Antwoord "Ja". Hierna krijg je de vraag "File will be Removed on Reboot, Do you want to reboot now?". Antwoord "Nee". Doe hetzelfde voor de volgende bestanden maar antwoord "Ja" op de Reboot-vraag na het laatste bestand.
            C:\WINDOWS\System32\k6620gjoe6oc0.dll
            C:\WINDOWS\System32\ijmui.dll
            C:\WINDOWS\System32\hrrq0595e.dll
            C:\WINDOWS\System32\KGyGaAvL.sys
            C:\WINDOWS\System32\lvpu0979e.dll
            C:\WINDOWS\System32\jtp2077oe.dll
            C:\WINDOWS\System32\en48l1hu1.dll
            C:\WINDOWS\System32\irr0l59m1.dll
            C:\WINDOWS\System32\i260lcjm1foa.dll
            C:\WINDOWS\System32\k2620cjoefoc0.dll
            C:\WINDOWS\System32\m246lchs1f46.dll
            C:\WINDOWS\System32\h62o0gf3e62.dll
            C:\WINDOWS\System32\dnr8019ue.dll
            C:\WINDOWS\System32\mvpul9791.dll
            Hierna start Killbox de computer opnieuw op.

            Start HijackThis, klik op "Scan" and kruis de volgende onderdelen aan.

            R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.easywebsearch.nl
            R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = C:\WINDOWS\System32\ms7531.html

            R3 - Default URLSearchHook is missing

            F1 - win.ini: run=C:\WESTWOOD\REDALERT\INSTICON.EXE C:\WESTWOOD\REDALERT\INSTICON.EXE C:\WESTWOOD\REDALERT\INSTICON.EXE C:\WESTWOOD\REDALERT\INSTICON.EXE

            O1 - Hosts: 69.20.16.183 ieautosearch
            O1 - Hosts: 69.20.16.183 auto.search.msn.com
            O1 - Hosts: 69.20.16.183 search.netscape.com
            O1 - Hosts: 69.20.16.183 ieautosearch
            O1 - Hosts: 69.20.16.183 ieautosearch

            O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

            O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
            O4 - HKCU\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

            O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

            O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...otos/V503D.htm
            O16 - DPF: {1230CB21-C88D-11CF-0000-000000000000} - http://nl.browserupdate.co.uk/cabs/nl0001/nliq0001.cab
            O16 - DPF: {214868A8-F71B-473E-8ECF-6EE1DE6B91D8} - http://pms.localscripts.nl/plugins/5/ms7531_nl.cab
            O16 - DPF: {3F2705D0-C9D8-4020-A15C-E495A0050EC6} (Easywebinstaller Control) - http://s7.blingblingcontent.com/tool...binstaller.ocx
            O16 - DPF: {4E15D681-0000-0000-0000-000000000000} - http://www.euroklik.nl/plugins_met_h...acmannl205.exe
            O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://www.erototaal.nl/plugin/****clubnl013.exe
            O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/p...tx/install.cab

            O23 - Service: WinTools for IE service - Unknown - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)


            Sluit alle programma's, inclusief browsers, behalve HijackThis. Klik op "Fix checked".

            Start je computer in beveiligde modus. Hoe start ik mijn computer in veilige modus?

            Zorg dat je verborgen bestanden kan zien. Hoe toon ik verborgen bestanden?

            Verwijder de volgende bestanden in rood (het kan zijn dat ze al verwijderd zijn):

            C:\WINDOWS\System32\ms7531.html

            Verwijder de volgende mappen in rood (het kan zijn dat deze al verwijderd zijn):

            C:\Program Files\Viewpoint
            C:\Program Files\Common Files\WinTools

            Herstart de computer en post een nieuwe log in deze thread.

            Comment

            Sorry, you are not authorized to view this page
            Working...
            X