Vraag & Antwoord

Beveiliging & privacy

wie helpt

4 antwoorden
  • Bijgaand hijack log file..... ik krijg steeds mk:@MSITStore: C:\spe\start.chm::/start.html# als opstartpagina.....erg mooie natuurbeeld echter niet voor mijn zoon. Ik krijg 'm niet verwijderd niet met shredder nog met Hijack Wie wil zijn blik laten gaan over deze kinderonvriendelijke foto's Ronald Logfile of HijackThis v1.97.7 Scan saved at 19:57:40, on 20-9-2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\alg.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Norman\NVC\BIN\Zanda.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\NORMAN\Nvc\BIN\ZLH.EXE C:\Program Files\WindUpdates\WinUpdt.exe C:\Program Files\WindUpdates\WinKA.exe C:\temp\msbb.exe C:\NORMAN\Nvc\BIN\NYMSE.EXE C:\NORMAN\Nvc\BIN\NIP.EXE C:\WINDOWS\olecom32.exe C:\WINDOWS\System32\ctfmon.exe C:\Documents and Settings\Frans Wouters\Application Data\nwlm.exe C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe C:\NORMAN\Nvc\BIN\NJEEVES.EXE C:\NORMAN\Nvc\BIN\nvcoas.exe C:\NORMAN\Nvc\BIN\nipsvc.exe C:\NORMAN\Nvc\BIN\NVCSCHED.EXE C:\NORMAN\Nvc\BIN\cclaw.exe L:\virusfix_en\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\FRANSW~1\LOCALS~1\Temp\sp.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=0&q=%s R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html# R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\FRANSW~1\LOCALS~1\Temp\sp.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html# R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\FRANSW~1\LOCALS~1\Temp\sp.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=0&q=%s R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\FRANSW~1\LOCALS~1\Temp\sp.html O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll (file missing) O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file) O2 - BHO: (no name) - {63FF372E-C265-5BB7-D123-675578A92A3B} - C:\WINDOWS\System32\qorzc.dll O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: DotComToolbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - c:\windows\toolbar_nieuw14.dll O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe O4 - HKLM\..\Run: [Windows Explorer] C:\WINDOWS\olecom32.exe O4 - HKLM\..\Run: [ypvoaqcy] C:\WINDOWS\System32\wuukimcf.exe O4 - HKLM\..\Run: [OELoader] OELoader.exe O4 - HKLM\..\Run: [lch] C:\WINDOWS\lch.exe O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe" O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\msxmidi.exe O4 - HKLM\..\Run: [mjyfolqh] C:\WINDOWS\mjyfolqh.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Trdc] C:\Documents and Settings\Frans Wouters\Application Data\nwlm.exe O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\msxmidi.exe O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: Microsoft® VBScript® Console (HKLM) O9 - Extra 'Tools' menuitem: VBScript Terminal (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O9 - Extra button: Microsoft® VBScript® Terminal (HKCU) O9 - Extra 'Tools' menuitem: VBScript Terminal (HKCU) O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=0&q= O13 - WWW Prefix: http://www.heretofind.com/show.php?id=0&q= O13 - Home Prefix: http://www.heretofind.com/show.php?id=0&q= O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=0&q= O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=0&q= O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} - http://63.217.29.115/cax.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37878.122349537 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
  • Kijk nog wel even,
  • sluit alle vensters en run hjt opnieuw en fix deze items: [list:60ce3d0740][b:60ce3d0740] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\FRANSW~1\LOCALS~1\Temp\sp.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=0&q=%s R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html# R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\FRANSW~1\LOCALS~1\Temp\sp.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html# R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\FRANSW~1\LOCALS~1\Temp\sp.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=0&q=%s R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\FRANSW~1\LOCALS~1\Temp\sp.html O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll (file missing) O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file) O2 - BHO: (no name) - {63FF372E-C265-5BB7-D123-675578A92A3B} - C:\WINDOWS\System32\qorzc.dll O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe O4 - HKLM\..\Run: [Windows Explorer] C:\WINDOWS\olecom32.exe O4 - HKLM\..\Run: [ypvoaqcy] C:\WINDOWS\System32\wuukimcf.exe O4 - HKLM\..\Run: [OELoader] OELoader.exe O4 - HKLM\..\Run: [lch] C:\WINDOWS\lch.exe O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\msxmidi.exe O4 - HKLM\..\Run: [mjyfolqh] C:\WINDOWS\mjyfolqh.exe O4 - HKCU\..\Run: [Trdc] C:\Documents and Settings\Frans Wouters\Application Data\nwlm.exe O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\msxmidi.exe O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm O9 - Extra button: Related (HKLM) O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=0&q= O13 - WWW Prefix: http://www.heretofind.com/show.php?id=0&q= O13 - Home Prefix: http://www.heretofind.com/show.php?id=0&q= O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=0&q= O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=0&q= O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} - http://63.217.29.115/cax.cab [/b:60ce3d0740][/list:u:60ce3d0740] Herstart in veilige modus en laat alle bestanden weergeven, verwijder vervolgens: [list:60ce3d0740][b:60ce3d0740]C:\DOCUME~1\FRANSW~1\LOCALS~1\Temp <--- maak deze map leeg C:\WINDOWS\System32\qorzc.dll <--- deze file C:\WINDOWS\System32\nvms.dll <--- deze file C:\WINDOWS\System32\mscb.dll <--- deze file C:\WINDOWS\System32\msbe.dll <--- deze file C:\Program Files\WindUpdates c:\temp <--- deze map legen C:\WINDOWS\olecom32.exe <--- deze file C:\WINDOWS\System32\wuukimcf.exe <--- deze file OELoader.exe <--- deze file C:\WINDOWS\lch.exe <--- deze file C:\Program Files\Web_Rebates <--- deze map weggooien C:\WINDOWS\System32\services\msxmidi.exe <--- deze file C:\WINDOWS\mjyfolqh.exe <--- deze file C:\Documents and Settings\Frans Wouters\Application Data\nwlm.exe <--- deze file [/b:60ce3d0740][/list:u:60ce3d0740] Herstart in normale modus en post een nieuwe hijackthislog, En mail even een logje van: http://users.pandora.be/marcvn/tools/get_active_services.zip (uitpakken en scriptje uitvoeren, active.txt word aangemaakt die file even mailen, ik pb je m'n mail adres wel)
  • Heb zojuis de hijackthislog ontvangen, Active.txt komt eraan, ik post ze even hier zodat M@rc even mee kan kijken.

Beantwoord deze vraag

Weet jij het antwoord op deze vraag? Registreer of meld je aan met je account

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.