Vraag & Antwoord

Beveiliging & privacy

Hijack graag nakijken

8 antwoorden
  • Hoi, we hebben last van iewww en ewupdater, wie kan even deze hijack-log nakijken? Bij voorbaat dank, Peter. Logfile of HijackThis v1.98.2 Scan saved at 1:12:43, on 8-9-04 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\NORTON CLEANSWEEP\CSINJECT.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\DEVLDR16.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\ANVSHELL.EXE C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\CPAL\CPBRWTCH.EXE C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\NEDSOFT\NEDSOFT VIRTUELE CD-ROMSPELER\CDMAN.EXE C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE C:\PROGRAM FILES\CREATIVE\LAUNCHER\CTLAUNCHER.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\WINDOWS\EWUPDATER.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\LOGITECH\WINGMAN SOFTWARE\LWEMON.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\PROGRAM FILES\CPAL\CPAL.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS1982.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.easywebsearch.nl R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.easywebsearch.nl/ie.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.easywebsearch.nl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.easywebsearch.nl/ie.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.easywebsearch.nl R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.easywebsearch.nl/ie.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.easywebsearch.nl R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.easywebsearch.nl/ie.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.easywebsearch.nl R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/QuickPage/Portal/portal.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.startpagina.nl R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.78.222.159 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen F1 - win.ini: run=hpfsched O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\PROGRAM FILES\TECHSMITH\SNAGIT 7\SNAGITBHO.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\PROGRAM FILES\TECHSMITH\SNAGIT 7\SNAGITIEADDIN.DLL O3 - Toolbar: @msdxmLC.dll,-1@1043,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [Taakcontrole] c:\windows\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [anvshell] anvshell.exe O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [Cookie Pal] "C:\PROGRAM FILES\CPAL\CPBrWtch.exe" O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [Alogserv] c:\Program Files\McAfee\McAfee VirusScan\alogserv.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [cdman.exe] "C:\Program Files\Nedsoft\Nedsoft Virtuele CD-Romspeler\cdman.exe" /startup O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [easywww] C:\WINDOWS\iewww.exe O4 - HKLM\..\Run: [ewupdater] C:\WINDOWS\EWUPDATER.EXE O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton CleanSweep\CSINJECT.EXE O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [Devldr16] C:\WINDOWS\SYSTEM\devldr16.exe O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\VGAProbe.exe FirstTime O4 - HKCU\..\Run: [Start WingMan Profiler] "c:\Program Files\Logitech\WingMan Software\lwtest.exe" /detect /quiet /launch "c:\Program Files\Logitech\WingMan Software\lwemon.exe /noui" O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office Frontpage 2000\Office\OSA9.EXE O9 - Extra button: Onderzoekscentrum - {9455301C-CF6B-11D3-A266-00C04F689C50} - c:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://www.whenusearch.com/WUInstSECS.cab O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://212.61.71.5/~parkhilaria/inhoud/webcam/AxisCamControl.ocx O16 - DPF: {3F2705D0-C9D8-4020-A15C-E495A0050EC6} (Easywebinstaller Control) - http://s7.blingblingcontent.com/toolbarcash/activex/easywebinstaller.ocx
  • Sluit alle browservensters en fix onderstaande items. [code:1:9b532acf1f]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.easywebsearch.nl R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.easywebsearch.nl/ie.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.easywebsearch.nl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.easywebsearch.nl/ie.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.easywebsearch.nl R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.easywebsearch.nl/ie.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.easywebsearch.nl R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.easywebsearch.nl/ie.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.easywebsearch.nl R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/QuickPage/Portal/portal.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.startpagina.nl R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.78.222.159 O4 - HKLM\..\Run: [easywww] C:\WINDOWS\iewww.exe O4 - HKLM\..\Run: [ewupdater] C:\WINDOWS\EWUPDATER.EXE O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://www.whenusearch.com/WUInstSECS.cab O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://212.61.71.5/~parkhilaria/inhoud/webcam/AxisCamControl.ocx O16 - DPF: {3F2705D0-C9D8-4020-A15C-E495A0050EC6} (Easywebinstaller Control) - http://s7.blingblingcontent.com/toolbarcash/activex/easywebinstaller.ocx[/code:1:9b532acf1f] Boot naar veilige modus en verwijder de map. [code:1:9b532acf1f]C:\Program Files\QuickPage[/code:1:9b532acf1f] Verwijder (nog steeds in veilige modus) deze bestanden. [code:1:9b532acf1f]C:\WINDOWS\EWUPDATER.EXE C:\WINDOWS\iewww.exe[/code:1:9b532acf1f] Boot terug naar winmode en post een nieuwe log.
  • Hoi, 2 opmerkingen: - de eerste O16 stond er niet meer en - Quickpage was niet aanwezig Nieuwe log: Logfile of HijackThis v1.98.2 Scan saved at 18:42:59, on 9-9-04 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\NORTON CLEANSWEEP\CSINJECT.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\DEVLDR16.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE C:\WINDOWS\EXPLORER.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\ANVSHELL.EXE C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\CPAL\CPBRWTCH.EXE C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\NEDSOFT\NEDSOFT VIRTUELE CD-ROMSPELER\CDMAN.EXE C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE C:\PROGRAM FILES\CREATIVE\LAUNCHER\CTLAUNCHER.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE C:\PROGRAM FILES\LOGITECH\WINGMAN SOFTWARE\LWEMON.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS1982.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen F1 - win.ini: run=hpfsched O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\PROGRAM FILES\TECHSMITH\SNAGIT 7\SNAGITBHO.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\PROGRAM FILES\TECHSMITH\SNAGIT 7\SNAGITIEADDIN.DLL O3 - Toolbar: @msdxmLC.dll,-1@1043,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [Taakcontrole] c:\windows\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [anvshell] anvshell.exe O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [Cookie Pal] "C:\PROGRAM FILES\CPAL\CPBrWtch.exe" O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [Alogserv] c:\Program Files\McAfee\McAfee VirusScan\alogserv.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [cdman.exe] "C:\Program Files\Nedsoft\Nedsoft Virtuele CD-Romspeler\cdman.exe" /startup O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [ewupdater] C:\WINDOWS\EWUPDATER.EXE O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton CleanSweep\CSINJECT.EXE O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [Devldr16] C:\WINDOWS\SYSTEM\devldr16.exe O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\VGAProbe.exe FirstTime O4 - HKCU\..\Run: [Start WingMan Profiler] "c:\Program Files\Logitech\WingMan Software\lwtest.exe" /detect /quiet /launch "c:\Program Files\Logitech\WingMan Software\lwemon.exe /noui" O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office Frontpage 2000\Office\OSA9.EXE O9 - Extra button: Onderzoekscentrum - {9455301C-CF6B-11D3-A266-00C04F689C50} - c:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll En nog een paar vragen: - in WINDOWS-map staat easybarinstall.exe van 2-9-4, is dat ook wat? - weten jullie misschien de oorsprong van de bestanden met een naam in de vorm van: ebfcb73d_{60D23020-F18D-11D8-8E4C-0008540A0ADB}.tmp die minimaal dagelijks als paar voorkomen? Alvast bedankt, Peter.
  • [edit] Log ziet er nog niet schoon uit. [code:1:066ffd3cee]O4 - HKLM\..\Run: [ewupdater] C:\WINDOWS\EWUPDATER.EXE[/code:1:066ffd3cee] Bovenstaande nog fixen aub. Verwijder verder in veilige modus het bestand zelf nog. Overigens zou ik je IE 6 willen aanbevelen boven je huidige 5.5. Easybarinstaller.exe mag verwijderd en de Windows\Temp map mag je gewoon leeg gooien.
  • Hoi egslim, ewupdater nu verdwenen uit hijackthis, en bestand was al weg (terwijl ik hem de eerste keer al had verwijderd, maar goed). Die bestanden met die rare naam staan niet in (windows)\temp maar in windows! Dus temp leegmaken haalt niks uit. Hier het laatste paar: fa015bc9_{100E6CE0-028F-11D9-8E4C-0008540A0ADB}.tmp fa015bc9_{100E6CE1-028F-11D9-8E4C-0008540A0ADB}.tmp en hier het vorige paar: f8754dcd_{C505A9E0-028C-11D9-8E4C-0008540A0ADB}.tmp f8754dcd_{C505A9E1-028C-11D9-8E4C-0008540A0ADB}.tmp Het zijn lege bestanden, dus zonder spaties of hex00. Ze worden in ieder geval aangemaakt bij opstarten. Wat zijn het? Peter.
  • Egslim!?
  • Sorry Rieske, ik had die naam in mijn kop van een andere vraag. sorry, sorry, sorry, weet je toch een antwoord?
  • En ze komen ook terug nu ewupdater.exe verwijderd is?

Beantwoord deze vraag

Weet jij het antwoord op deze vraag? Registreer of meld je aan met je account

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.