Op deze website gebruiken we cookies om content en advertenties te personaliseren, om functies voor social media te bieden en om ons websiteverkeer te analyseren. Ook delen we informatie over uw gebruik van onze site met onze partners voor social media, adverteren en analyse. Deze partners kunnen deze gegevens combineren met andere informatie die u aan ze heeft verstrekt of die ze hebben verzameld op basis van uw gebruik van hun services. Meer informatie.

Akkoord

Vraag & Antwoord

Beveiliging & privacy

Hijackthislog nazien aub

M@rc
25 antwoorden
  • Wil iemand aub deze log nazien.

    Mijn problemen zijn: Ongevraagd schermen met porno, dialers, bogus, plugins, activex objects.
    Erg veel namen in de map opstarten.
    Vx2 cleaner niet gelukt te installeren. SpySweeper ook niet.
    Spybot blijft hangen op immuniseren.
    Momenteel duurt openen site erg lang.

    Eerst gescand met Ad-Aware en Spybot. Beide meldden dat hier een IntelPentium 3 stond ipv een AMD2000+. Alles gescand en verwijderd. DSO blijft terugkomen.

    Daarna met PestScan van ZoneAlarm, Symantec, CWShredder, Spysubtract,

    Gevonden en deels verwijderd, ook handmatig in register o.a: CoolWWWSearch, DSO, DyFuCa, ISTbar.Slotch, n-Case, PowerScan, SexListWebRebates

    Met VX2finder gescand. Map HKLM\SO\MS\WNT\CV\WINLOGON
    otify staat vol zie log, nog niets verwijderd.

    Findthewebsiteyouneed.com in HKCU\So\ms\w\cv\IS\zonemap\domains\
    En in HKU
    ummer\So\Ms\W\CV\IS\. Nog niet verwijderd.

    Norton Anti Virus waakt.
    Te laat installeerde ik ZoneAlarmPro, heeft al wel erg veel tegengehouden
    SP2 nog niet geïnstalleerd i.v.m. problemen die steeds in de forums gemeld worden



    [list:428e46bf9c][b:428e46bf9c]

    Logfile of HijackThis v1.98.2
    Scan saved at 19:28:11, on 22-11-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
    C:\Program Files\Norton AntiVirus
    avapsvc.exe
    C:\WINDOWS\System32
    vsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Conexant\CnxDslTb.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    D:\Downloads\Coolwebshr\SpySub.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Stuurmw\Local Settings\Temp\Tijdelijke map 1 voor hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Conexant\CnxDslTb.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: SpySubtract.lnk = D:\Downloads\Coolwebshr\SpySub.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Gelijkwaardige pagina's - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Koppelingspagina's - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://H:\Content\include\msSecUcd.cab
    [/list:u:428e46bf9c][/b:428e46bf9c]


    [list:428e46bf9c][b:428e46bf9c]
    Log for VX2.BetterInternet File Finder (msg126)

    Files Found—

    Additional Files—

    Keys Under Notify—
    crypt32chain
    cryptnet
    cscdll
    ScCertProp
    Schedule
    sclgntfy
    SensLogn
    termsrv
    wlballoon


    Guardian Key— is called:

    User Agent String—
    [/b:428e46bf9c][/list:u:428e46bf9c]
  • Hallo serendip,

    VX2 logje is ok.


    Herstart de computer.
    Plaats hijackthis eerst in een eigen map. Run het van uit deze map, maak een nieuw logje en post dit.

    groeten,
    Marc
  • Hallo M@rk,
    Hierbij mijn nieuwe log.
    groet,
    serendip

    [list:9e65158541][b:9e65158541]
    Logfile of HijackThis v1.98.2
    Scan saved at 16:38:58, on 23-11-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
    C:\Program Files\Norton AntiVirus
    avapsvc.exe
    C:\WINDOWS\System32
    vsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Conexant\CnxDslTb.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    D:\Downloads\Coolwebshr\SpySub.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Hijackthis2\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Conexant\CnxDslTb.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: SpySubtract.lnk = D:\Downloads\Coolwebshr\SpySub.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Gelijkwaardige pagina's - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Koppelingspagina's - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://H:\Content\include\msSecUcd.cab
    [/b:9e65158541][/list:u:9e65158541]
  • Hallo serendip,

    Deze kan je fixen:
    [b:45dc6f3c39]
    R3 - Default URLSearchHook is missing[/b:45dc6f3c39]

    Hoe is de situatie nu?
    Staan er zaken in de ignorelist van hijackthis?
    Heb jezelf zaken gefixt met hijackthis?

    groeten,
    Marc
  • Hallo M@rk,
    In Hijackthis heb ik niets gefixt, behalve de R3. Er staat niets in de ignorelist.
    Wat moet ik doen met de inhoud van
    otify, alles verwijderen of alles laten staan?
    Helaas moet ik nu even de deur uit. ik laat wel weer van me horen. Tot zover al reuze bedankt.
    groet,
    serendip
    [list:dc4a32cb2a][b:dc4a32cb2a]

    * HijackThis v1.98 *
    Written by Merijn - merijn@spywareinfo.com
    http://www.merijn.org/files/hijackthis.zip
    http://www.merijn.org/index.html

    See bottom for version history.

    The different sections of hijacking possibilities have been separated into these groups:
    R - Registry, StartPage/SearchPage changes
    R0 - Changed registry value
    R1 - Created registry value
    R2 - Created registry key
    R3 - Created extra registry value where only one should be
    F - IniFiles, autoloading entries
    F0 - Changed inifile value
    F1 - Created inifile value
    F2 - Changed inifile value, mapped to Registry
    F3 - Created inifile value, mapped to Registry
    N - Netscape/Mozilla StartPage/SearchPage changes
    N1 - Change in prefs.js of Netscape 4.x
    N2 - Change in prefs.js of Netscape 6
    N3 - Change in prefs.js of Netscape 7
    N4 - Change in prefs.js of Mozilla
    O - Other, several sections which represent:
    O1 - Hijack of auto.search.msn.com with Hosts file
    O2 - Enumeration of existing MSIE BHO's
    O3 - Enumeration of existing MSIE toolbars
    O4 - Enumeration of suspicious autoloading Registry entries
    O5 - Blocking of loading Internet Options in Control Panel
    O6 - Disabling of 'Internet Options' Main tab with Policies
    O7 - Disabling of Regedit with Policies
    O8 - Extra MSIE context menu items
    O9 - Extra 'Tools' menuitems and buttons
    O10 - Breaking of Internet access by New.Net or WebHancer
    O11 - Extra options in MSIE 'Advanced' settings tab
    O12 - MSIE plugins for file extensions or MIME types
    O13 - Hijack of default URL prefixes
    O14 - Changing of IERESET.INF
    O15 - Trusted Zone Autoadd
    O16 - Download Program Files item
    O17 - Domain hijack
    O18 - Enumeration of existing protocols and filters
    O19 - User stylesheet hijack
    O20 - AppInit_DLLs autorun Registry value
    O21 - ShellServiceObjectDelayLoad (SSODL) autorun Registry key
    O22 - SharedTaskScheduler autorun Registry key

    You can get more detailed information about an item by selecting it from the list of found items or highlighting the relevant line above, and clicking 'Info on selected item'.

    * Version history *
    [v1.98]
    * Definitive support for Japanese/Chinese/Korean systems
    * Added O20 (AppInit_DLLs) in light of newer trojans
    * Added O21 (ShellServiceObjectDelayLoad, SSODL) in light of newer trojans
    * Added O22 (SharedTaskScheduler) in light of newer trojans
    * Backups of fixed items are now saved in separate folder
    * HijackThis now checks if it was started from a temp folder
    * Added a small process manager (Misc Tools section)
    [v1.96]
    * Lots of bugfixes and small enhancements! Among others:
    * Fix for Japanese IE toolbars
    * Fix for searchwww.com fake CLSID trick in IE toolbars and BHO's
    * Attributes on Hosts file will now be restored when scanning/fixing
    estoring it.
    * Added several files to the LSP whitelist
    * Fixed some issues with incorrectly re-encrypting data, making R0/R1 go undetected until a restart
    * All sites in the Trusted Zone are now shown, with the exception of those on the nonstandard but safe domain list
    [v1.95]
    * Added a new regval to check for from Whazit hijack (Start Page_bak).
    * Excluded IE logo change tweak from toolbar detection (BrandBitmap and SmBrandBitmap).
    * New in logfile: Running processes at time of scan.
    * Checkmarks for running StartupList with /full and /complete in HijackThis UI.
    * New O19 method to check for Datanotary hijack of user stylesheet.
    * Google.com IP added to whitelist for Hosts file check.
    [v1.94]
    * Fixed a bug in the Check for Updates function that could cause corrupt downloads on certain systems.
    * Fixed a bug in enumeration of toolbars (Lop toolbars are now listed!).
    * Added imon.dll, drwhook.dll and wspirda.dll to LSP safelist.
    * Fixed a bug where DPF could not be deleted.
    * Fixed a stupid bug in enumeration of autostarting shortcuts.
    * Fixed info on Netscape 6/7 and Mozilla saying '%shitbrowser%' (oops).
    * Fixed bug where logfile would not auto-open on systems that don't have .log filetype registered.
    * Added support for backing up F0 and F1 items (d'oh!).
    [v1.93]
    * Added mclsp.dll (McAfee), WPS.DLL (Sygate Firewall), zklspr.dll (Zero Knowledge) and mxavlsp.dll (OnTrack) to LSP safelist.
    * Fixed a bug in LSP routine for Win95.
    * Made taborder nicer.
    * Fixed a bug in backup
    estore of IE plugins.
    * Added UltimateSearch hijack in O17 method (I think).
    * Fixed a bug with detecting
    emoving BHO's disabled by BHODemon.
    * Also fixed a bug in StartupList (now version 1.52.1).
    [v1.92]
    * Fixed two stupid bugs in backup restore function.
    * Added DiamondCS file to LSP files safelist.
    * Added a few more items to the protocol safelist.
    * Log is now opened immediately after saving.
    * Removed rd.yahoo.com from NSBSD list (spammers are starting to use this, no doubt spyware authors will follow).
    * Updated integrated StartupList to v1.52.
    * In light of SpywareNuker/BPS Spyware Remover, any strings relevant to reverse-engineers are now encrypted.
    * Rudimentary proxy support for the Check for Updates function.
    [v1.91]
    * Added rd.yahoo.com to the Nonstandard But Safe Domains list.
    * Added 8 new protocols to the protocol check safelist, as well as showing the file that handles the protocol in the log (O18).
    * Added listing of programs/links in Startup folders (O4).
    * Fixed 'Check for Update' not detecting new versions.
    [v1.9]
    * Added check for Lop.com 'Domain' hijack (O17).
    * Bugfix in URLSearchHook (R3) fix.
    * Improved O1 (Hosts file) check.
    * Rewrote code to delete BHO's, fixing a really nasty bug with orphaned BHO keys.
    * Added AutoConfigURL and proxyserver checks (R1).
    * IE Extensions (Button/Tools menuitem) in HKEY_CURRENT_USER are now also detected.
    * Added check for extra protocols (O18).
    [v1.81]
    * Added 'ignore non-standard but safe domains' option.
    * Improved Winsock LSP hijackers detection.
    * Integrated StartupList updated to v1.4.
    [v1.8]
    * Fixed a few bugs.
    * Adds detecting of free.aol.com in Trusted Zone.
    * Adds checking of URLSearchHooks key, which should have only one value.
    * Adds listing/deleting of Download Program Files.
    * Integrated StartupList into the new 'Misc Tools' section of the Config screen!
    [v1.71]
    * Improves detecting of O6.
    * Some internal changes/improvements.
    [v1.7]
    * Adds backup function! Yay!
    * Added check for default URL prefix
    * Added check for changing of IERESET.INF
    * Added check for changing of Netscape/Mozilla homepage and default search engine.
    [v1.61]
    * Fixes Runtime Error when Hosts file is empty.
    [v1.6]
    * Added enumerating of MSIE plugins
    * Added check for extra options in 'Advanced' tab of 'Internet Options'.
    [v1.5]
    * Adds 'Uninstall & Exit' and 'Check for update online' functions.
    * Expands enumeration of autoloading Registry entries (now also scans for .vbs, .js, .dll, rundll32 and service)
    [v1.4]
    * Adds repairing of broken Internet access (aka Winsock or LSP fix) by New.Net/WebHancer
    * A few bugfixes/enhancements
    [v1.3]
    * Adds detecting of extra MSIE context menu items
    * Added detecting of extra 'Tools' menu items and extra buttons
    * Added 'Confirm deleting/ignoring items' checkbox
    [v1.2]
    * Adds 'Ignorelist' and 'Info' functions
    [v1.1]
    * Supports BHO's, some default URL changes
    [v1.0]
    * Original release

    A good thing to do after version updates is clear your Ignore list and re-add them, as the format of detected items sometimes changes.
    [/b:dc4a32cb2a][/list:u:dc4a32cb2a]
  • [quote:148b43b92a="serendip"]Wat moet ik doen met de inhoud van
    otify, alles verwijderen of alles laten staan?
    [/quote:148b43b92a]
    Alles laten staan. Waarom zou je dit verwijderen?
    VX2Finder heeft niks gevonden. Dat logje is ok zo.

    Kan je een nieuwe hijackthislog posten.
    Hoe is de situatie nu?

    groeten,
    Marc
  • Hallo M@rk,
    Hierbij de nieuwe Hijackthislog. Vandaag scande ik met verschillende andere spyprogramma’s en gezien dat wat ik of bv Spybot al eerder verwijderde, er weer vrolijk stond zoals slotchbar, DyFuCA, xxxtoolbar, IST en andere soorten. Ook nieuwe spy gevonden. Ik stuur de logs mee.
    Ad-Aware krijg ik niet goed geinstalleerd, werkt ook niet goed.
    Groet,
    Serendip
    [list:7ade04fd7b][b:7ade04fd7b]
    Programs in Memory
    Windows Registry
    Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchsquire.com'
    Found '' in 'SOFTWARE\sais'
    Found '*' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com'
    Found '*' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\slotch.com'
    Found '*' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxxtoolbar.com'
    Internet URL Shortcuts
    Files and Directories
    Found 'conscorr.inf' in 'C:\WINDOWS\inf'
    Finished Scanning
    Started Backup
    Finished Backup
    Started Cleaning
    Checking for 'C:\WINDOWS\inf\conscorr.inf' in shortcut areas.
    Checking for 'C:\WINDOWS\inf\conscorr.inf' in startup areas.
    Cleaning 'C:\WINDOWS\inf\conscorr.inf'
    Finished Cleaning
    [/b:7ade04fd7b][/list:u:7ade04fd7b]
    [list:7ade04fd7b][b:7ade04fd7b]
    Logfile of HijackThis v1.98.2
    Scan saved at 0:03:44, on 26-11-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
    C:\Program Files\Norton AntiVirus
    avapsvc.exe
    C:\WINDOWS\System32
    vsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Conexant\CnxDslTb.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Spyware\Coolwebshr\SpySub.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Spyware\Hijackthis2\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spyware\Spybot S&D\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Conexant\CnxDslTb.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\Spyware\Coolwebshr\SpySub.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Gelijkwaardige pagina's - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Koppelingspagina's - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://H:\Content\include\msSecUcd.cab
    [/b:7ade04fd7b][/list:u:7ade04fd7b]
  • Je hijackthislog lijkt me ok.
    Van de infecties die jij noemt zijn er die een uninstallfuntcie hebben.

    Als het blijft terugkomen, plaats je best een hijackthislog zonder eerst anti-spywaretools te gebruiken.
  • Hallo M@rk,
    De log die ik je stuurde bevatte alle spy die ik beschreef. Als je niets ziet dan zitten ze verstopt of zo. Als je wil kan ik je de logs van de spys opsturen. Vele verwijzen naar ddezelfde registersleutel.
    groet,
    serendip
  • M@rk,
    Aanvulling op mijn vorige mail: voor alle duidelijkheid laat ik je weten dat ik nadat ik jouw hulp inriep geen enkele spy meer heb verwijderd, niet via een programma maar ook niet in het register. Ze zaten dus nog in de pc toen ik de Hijackthislog maakte. Ik kan niets verwijderen, want ik weet niet welke fout is en welke goed. Welke kan er weg uit het lijstje boven de hijackthislog?
    groet,
    serendip
  • Serendip,

    De programma's zijn zeker niet actief op je computer. Anders moesten ze zichtbaar zijn in de HijackThislog.

    Ik weet niet welke programma's je gebruikt om te scannen.
    Meldt dit even.

    Over dat logje boven je hijackthislog kan ik weinig vertellen zo.
    De reden hiervoor is dat ik te weinig info heb.
    Wat je kan doen is het volgende:
    Open IE, ga naar Extra - Internet-opties - Beveiling.
    Selecteer de zone "Websites met beperkte toegang'.
    Klik op aangepast niveau en kijk hoe de beveiligingsinstellingen zijn. (deze zouden op hoog moeten staan)

    Sluit dit venster en klik (nog steeds) in dezelfde zone op de knop "Websites".
    Controleer of in deze lijst de volgende items voorkomen:
    - searchsquire.com
    - sais
    - blazefind.com
    - slotch.com
    - xxxtoolbar.com

    Meldt het resultaat van je zoektocht.

    Waarom werkt Ad-Aware niet?

    groeten,
    Marc
  • M@rk, hierbij een scan van Ad-Aware toen die nog werkte. Daarna niet meer, verwijderd en enkele keren geprobeerd te installeren wat niet meer lukte.
    Ik stuur je hierna nog logs die ik gisteren maakte.
    groet,
    serendip
    [list:c1231f9f61][b:c1231f9f61]

    Ad-Aware SE Build 1.05
    Logfile Created on:donderdag 25 november 2004 22:08:07
    Created with Ad-Aware SE Personal, free for private use.
    Using definitions file:SE1R20 25.11.2004
    +++++++++++++++++++++++++++++++++++++++++++++++++++

    Definition File:
    =========================
    Definitions File Loaded:
    Reference Number : SE1R8 13.09.2004
    Internal build : 12
    File location : C:\PROGRA~1\Spyware\Ad-Aware\AD-AWA~1\defs.ref
    File size : 344723 Bytes
    Total size : 1092481 Bytes
    Signature data size : 1068971 Bytes
    Reference data size : 22998 Bytes
    Signatures total : 30122
    Fingerprints total : 154
    Fingerprints size : 7129 Bytes
    Target categories : 15
    Target families : 560

    25-11-2004 21:59:02 WebUpdate

    Installing Update…
    Definitions File Loaded:
    Reference Number : SE1R20 25.11.2004
    Internal build : 25
    File location : C:\PROGRA~1\Spyware\Ad-Aware\AD-AWA~1\defs.ref
    File size : 401144 Bytes
    Total size : 1271832 Bytes
    Signature data size : 1242561 Bytes
    Reference data size : 28759 Bytes
    Signatures total : 35327
    Fingerprints total : 536
    Fingerprints size : 20604 Bytes
    Target categories : 15
    Target families : 620


    25-11-2004 21:59:34 Success
    Update successfully downlodaded and installed.


    Memory + processor status:
    ==========================
    Number of processors : 1
    Processor architecture : Intel Pentium III
    Memory available:26 %
    Total physical memory:261616 kb
    Available physical memory:67788 kb
    Total page file size:633532 kb
    Available on page file:404356 kb
    Total virtual memory:2097024 kb
    Available virtual memory:2046412 kb
    OS:Microsoft Windows XP Home Edition Service Pack 1 (Build 2600)

    Ad-Aware SE Settings
    ===========================
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep-scan registry
    Set : Scan my IE Favorites for banned URLs
    Set : Scan within archives
    Set : Scan my Hosts file

    Extended Ad-Aware SE Settings
    ===========================
    Set : Scan registry for all users instead of current user only
    Set : Always try to unload modules before deletion
    Set : During removal, unload Explorer and IE if necessary
    Set : Let Windows remove files in use at next reboot
    Set : Include basic Ad-Aware settings in log file
    Set : Include additional Ad-Aware settings in log file
    Set : Play sound at scan completion if scan locates critical objects


    25-11-2004 22:08:07 - Scan started. (Custom mode)

    Listing running processes
    ++++++++++++++++++++++++++++++++++++++

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ProcessID : 512
    ThreadCreationTime : 25-11-2004 20:38:24
    BasePriority : Normal


    #:2 [csrss.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ProcessID : 560
    ThreadCreationTime : 25-11-2004 20:38:25
    BasePriority : Normal


    #:3 [winlogon.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ProcessID : 584
    ThreadCreationTime : 25-11-2004 20:38:26
    BasePriority : High


    #:4 [services.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 628
    ThreadCreationTime : 25-11-2004 20:38:26
    BasePriority : Normal
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    ProductName : Besturingssysteem Microsoft« Windows«
    CompanyName : Microsoft Corporation
    FileDescription : Services en controllertoepassingen
    InternalName : services.exe
    LegalCopyright : ® Microsoft Corporation. Alle rechten voorbehouden.
    OriginalFilename : services.exe

    #:5 [lsass.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 640
    ThreadCreationTime : 25-11-2004 20:38:26
    BasePriority : Normal
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    ProductName : Microsoft« Windows« Operating System
    CompanyName : Microsoft Corporation
    FileDescription : LSA Shell (Export Version)
    InternalName : lsass.exe
    LegalCopyright : ® Microsoft Corporation. All rights reserved.
    OriginalFilename : lsass.exe

    #:6 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 804
    ThreadCreationTime : 25-11-2004 20:38:27
    BasePriority : Normal
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    ProductName : Microsoft« Windows« Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : ® Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:7 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 828
    ThreadCreationTime : 25-11-2004 20:38:27
    BasePriority : Normal
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    ProductName : Microsoft« Windows« Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : ® Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:8 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 960
    ThreadCreationTime : 25-11-2004 20:38:27
    BasePriority : Normal
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    ProductName : Microsoft« Windows« Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : ® Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:9 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 1016
    ThreadCreationTime : 25-11-2004 20:38:27
    BasePriority : Normal
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    ProductName : Microsoft« Windows« Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : ® Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:10 [spoolsv.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 1136
    ThreadCreationTime : 25-11-2004 20:38:28
    BasePriority : Normal
    FileVersion : 5.1.2600.0 (XPClient.010817-1148)
    ProductVersion : 5.1.2600.0
    ProductName : Microsoft« Windows« Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Spooler SubSystem App
    InternalName : spoolsv.exe
    LegalCopyright : ® Microsoft Corporation. All rights reserved.
    OriginalFilename : spoolsv.exe

    #:11 [ccevtmgr.exe]
    FilePath : C:\Program Files\Common Files\Symantec Shared\
    ProcessID : 1168
    ThreadCreationTime : 25-11-2004 20:38:28
    BasePriority : Normal
    FileVersion : 1.03.4
    ProductVersion : 1.03.4
    ProductName : Event Manager
    CompanyName : Symantec Corporation
    FileDescription : Event Manager Service
    InternalName : ccEvtMgr
    LegalCopyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
    OriginalFilename : ccEvtMgr.exe

    #:12 [sagent2.exe]
    FilePath : C:\Program Files\Common Files\EPSON\EBAPI\
    ProcessID : 1332
    ThreadCreationTime : 25-11-2004 20:38:29
    BasePriority : Normal
    FileVersion : 1, 2, 0, 0
    ProductVersion : 1, 0, 0, 0
    ProductName : EPSON Bidirectional Printer
    CompanyName : SEIKO EPSON CORPORATION
    FileDescription : EPSON Printer Status Agent
    InternalName : SAgent2
    LegalCopyright : Copyright (C) SEIKO EPSON CORP. 2000
    OriginalFilename : SAgent2.exe

    #:13 [ghoststartservice.exe]
    FilePath : C:\Program Files\Symantec\Norton Ghost 2003\
    ProcessID : 1368
    ThreadCreationTime : 25-11-2004 20:38:29
    BasePriority : Normal
    FileVersion : 2003.775
    ProductVersion : 2003.775
    ProductName : Norton Ghost Start Service
    CompanyName : Symantec Corporation
    FileDescription : Norton Ghost Start
    InternalName : GhostStartService
    LegalCopyright : Copyright (C) 1998-2002 Symantec Corp. All rights reserved.
    OriginalFilename : GhostStartService.exe

    #:14 [navapsvc.exe]
    FilePath : C:\Program Files\Norton AntiVirus\
    ProcessID : 1392
    ThreadCreationTime : 25-11-2004 20:38:29
    BasePriority : Normal
    FileVersion : 9.05.1015
    ProductVersion : 9.05.1015
    ProductName : Norton AntiVirus
    CompanyName : Symantec Corporation
    FileDescription : Norton AntiVirus Auto-Protect Service
    InternalName : NAVAPSVC
    LegalCopyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
    OriginalFilename : NAVAPSVC.EXE

    #:15 [nvsvc32.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 1416
    ThreadCreationTime : 25-11-2004 20:38:29
    BasePriority : Normal
    FileVersion : 6.14.10.5672
    ProductVersion : 6.14.10.5672
    ProductName : NVIDIA Driver Helper Service, Version 56.72
    CompanyName : NVIDIA Corporation
    FileDescription : NVIDIA Driver Helper Service, Version 56.72
    InternalName : NVSVC
    LegalCopyright : (C) NVIDIA Corporation. All rights reserved.
    OriginalFilename : nvsvc32.exe

    #:16 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 1528
    ThreadCreationTime : 25-11-2004 20:38:29
    BasePriority : Normal
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    ProductName : Microsoft« Windows« Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : ® Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:17 [vsmon.exe]
    FilePath : C:\WINDOWS\system32\ZoneLabs\
    ProcessID : 1584
    ThreadCreationTime : 25-11-2004 20:38:29
    BasePriority : Normal
    FileVersion : 4.5.594.000
    ProductVersion : 4.5.594.000
    ProductName : TrueVector Service
    CompanyName : Zone Labs Inc.
    FileDescription : TrueVector Service
    InternalName : vsmon
    LegalCopyright : Copyright ® 1998-2003, Zone Labs Inc.
    OriginalFilename : vsmon.exe

    #:18 [explorer.exe]
    FilePath : C:\WINDOWS\
    ProcessID : 220
    ThreadCreationTime : 25-11-2004 20:38:40
    BasePriority : Normal
    FileVersion : 6.00.2800.1221 (xpsp2.030511-1403)
    ProductVersion : 6.00.2800.1221
    ProductName : Besturingssysteem Microsoft« Windows«
    CompanyName : Microsoft Corporation
    FileDescription : Windows Verkenner
    InternalName : explorer
    LegalCopyright : ® Microsoft Corporation. Alle rechten voorbehouden.
    OriginalFilename : EXPLORER.EXE

    #:19 [rundll32.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 416
    ThreadCreationTime : 25-11-2004 20:38:41
    BasePriority : Normal
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    ProductName : Besturingssysteem Microsoft« Windows«
    CompanyName : Microsoft Corporation
    FileDescription : Een DLL-bestand als toepassing starten
    InternalName : rundll
    LegalCopyright : ® Microsoft Corporation. Alle rechten voorbehouden.
    OriginalFilename : RUNDLL.EXE

    #:20 [ghoststarttrayapp.exe]
    FilePath : C:\Program Files\Symantec\Norton Ghost 2003\
    ProcessID : 432
    ThreadCreationTime : 25-11-2004 20:38:41
    BasePriority : Normal
    FileVersion : 2003.775
    ProductVersion : 2003.775
    ProductName : Norton Ghost Start
    CompanyName : Symantec Corporation
    FileDescription : Norton Ghost Start
    InternalName : GhostStartTrayApp
    LegalCopyright : Copyright (C) 1998-2002 Symantec Corp. All rights reserved.
    OriginalFilename : GhostStartTrayApp.exe

    #:21 [ccapp.exe]
    FilePath : C:\Program Files\Common Files\Symantec Shared\
    ProcessID : 452
    ThreadCreationTime : 25-11-2004 20:38:42
    BasePriority : Normal
    FileVersion : 1.08.01
    ProductVersion : 1.08.01
    ProductName : Common Client
    CompanyName : Symantec Corporation
    FileDescription : Common Client CC App
    InternalName : ccApp
    LegalCopyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
    OriginalFilename : ccApp.exe

    #:22 [realsched.exe]
    FilePath : C:\Program Files\Common Files\Real\Update_OB\
    ProcessID : 460
    ThreadCreationTime : 25-11-2004 20:38:42
    BasePriority : Normal
    FileVersion : 0.1.0.3208
    ProductVersion : 0.1.0.3208
    ProductName : RealPlayer (32-bit)
    CompanyName : RealNetworks, Inc.
    FileDescription : RealNetworks Scheduler
    InternalName : schedapp
    LegalCopyright : Copyright ® RealNetworks, Inc. 1995-2004
    LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc.
    OriginalFilename : realsched.exe

    #:23 [cnxdsltb.exe]
    FilePath : C:\Program Files\Conexant\
    ProcessID : 468
    ThreadCreationTime : 25-11-2004 20:38:42
    BasePriority : Normal
    FileVersion : 2.099.081.000
    ProductVersion : 2.099.081.000
    ProductName : Conexant AccessRunner ADSL
    CompanyName : Conexant Systems Inc.
    FileDescription : Taakbalktoepassing
    LegalCopyright : ® 1999-2003 Conexant Systems Inc.

    #:24 [zlclient.exe]
    FilePath : C:\PROGRA~1\ZONELA~1\ZONEAL~1\
    ProcessID : 484
    ThreadCreationTime : 25-11-2004 20:38:42
    BasePriority : Normal
    FileVersion : 4.5.594.000
    ProductVersion : 4.5.594.000
    ProductName : Zone Labs Client
    CompanyName : Zone Labs Inc.
    FileDescription : Zone Labs Client
    InternalName : zlclient
    LegalCopyright : Copyright ® 1998-2003, Zone Labs Inc.
    OriginalFilename : zlclient.exe

    #:25 [msmsgs.exe]
    FilePath : C:\Program Files\Messenger\
    ProcessID : 496
    ThreadCreationTime : 25-11-2004 20:38:42
    BasePriority : Normal
    FileVersion : 4.7.0041
    ProductVersion : Version 4.7
    ProductName : Messenger
    CompanyName : Microsoft Corporation
    FileDescription : Messenger
    InternalName : msmsgs
    LegalCopyright : Copyright © Microsoft Corporation 1997-2001
    LegalTrademarks : Microsoft(R) is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
    OriginalFilename : msmsgs.exe

    #:26 [ctfmon.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 532
    ThreadCreationTime : 25-11-2004 20:38:42
    BasePriority : Normal
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    ProductName : Microsoft« Windows« Operating System
    CompanyName : Microsoft Corporation
    FileDescription : CTF Loader
    InternalName : CTFMON
    LegalCopyright : ® Microsoft Corporation. All rights reserved.
    OriginalFilename : CTFMON.EXE

    #:27 [spysub.exe]
    FilePath : C:\Program Files\Spyware\Coolwebshr\
    ProcessID : 604
    ThreadCreationTime : 25-11-2004 20:38:44
    BasePriority : Normal
    FileVersion : 1, 0, 1, 49
    ProductVersion : 2.60
    ProductName : SpySubtract
    CompanyName : InterMute, Inc.
    FileDescription : SpySubtract Program EXE
    InternalName : SpySub.exe
    LegalCopyright : Copyright © 2004 InterMute, Inc. All rights reserved.
    OriginalFilename : SpySub.exe

    #:28 [devldr32.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 1304
    ThreadCreationTime : 25-11-2004 20:38:47
    BasePriority : Normal
    FileVersion : 1, 0, 0, 17
    ProductVersion : 1, 0, 0, 17
    ProductName : Creative Ring3 NT Inteface
    CompanyName : Creative Technology Ltd.
    FileDescription : DevLdr32
    InternalName : DevLdr
    LegalCopyright : Copyright (C) Creative Technology Ltd. 1998-2001
    OriginalFilename : DevLdr32.exe

    #:29 [wuauclt.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 2776
    ThreadCreationTime : 25-11-2004 20:39:32
    BasePriority : Normal
    FileVersion : 5.4.3790.2182 built by: srv03_rtm(ntvbl04)
    ProductVersion : 5.4.3790.2182
    ProductName : Besturingssysteem Microsoft« Windows«
    CompanyName : Microsoft Corporation
    FileDescription : Automatische updates
    InternalName : wuauclt.exe
    LegalCopyright : ® Microsoft Corporation. Alle rechten voorbehouden.
    OriginalFilename : wuauclt.exe

    #:30 [ad-aware.exe]
    FilePath : C:\PROGRA~1\Spyware\Ad-Aware\AD-AWA~1\
    ProcessID : 840
    ThreadCreationTime : 25-11-2004 20:58:39
    BasePriority : Normal
    FileVersion : 6.2.0.206
    ProductVersion : VI.Second Edition
    ProductName : Lavasoft Ad-Aware SE
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-Aware SE Core application
    InternalName : Ad-Aware.exe
    LegalCopyright : Copyright ® Lavasoft Sweden
    OriginalFilename : Ad-Aware.exe
    Comments : All Rights Reserved

    Memory scan result:
    ++++++++++++++++++++++++++++++++++++++
    New critical objects: 0
    Objects found so far: 0


    Started registry scan
    ++++++++++++++++++++++++++++++++++++++

    Registry Scan result:
    ++++++++++++++++++++++++++++++++++++++
    New critical objects: 0
    Objects found so far: 0


    Started deep registry scan
    ++++++++++++++++++++++++++++++++++++++

    Deep registry scan result:
    ++++++++++++++++++++++++++++++++++++++
    New critical objects: 0
    Objects found so far: 0


    Started Tracking Cookie scan
    ++++++++++++++++++++++++++++++++++++++


    Tracking cookie scan result:
    ++++++++++++++++++++++++++++++++++++++
    New critical objects: 0
    Objects found so far: 0



    Deep scanning and examining files (C:)
    ++++++++++++++++++++++++++++++++++++++

    Disk Scan Result for C:\
    ++++++++++++++++++++++++++++++++++++++
    New critical objects: 0
    Objects found so far: 0


    Scanning Hosts file……
    Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    Hosts file scan result:
    ++++++++++++++++++++++++++++++++++++++
    1 entries scanned.
    New critical objects:0
    Objects found so far: 0


    22:15:44 Scan Complete

    Summary Of This Scan
    ++++++++++++++++++++++++++++++++++++++
    Total scanning time:00:07:37.267
    Objects scanned:137711
    Objects identified:0
    Objects ignored:0
    New critical objects:0
    [/b:c1231f9f61][/list:u:c1231f9f61]
    • [b:49277721d4] M@rk, Mijn website met beperkte toegang staat op hoog. De 5 spys staan er niet in, wel had ik slotch.com er al eerder ingezet. serendip [list:49277721d4]
      Spysubtractscan

      **** Run Keys ****

      RUN: [nwiz] nwiz.exe /install
      RUN: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
      RUN: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
      RUN: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
      RUN: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
      RUN: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
      RUN: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
      RUN: [CnxDslTaskBar] "C:\Program Files\Conexant\CnxDslTb.exe"
      RUN: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
      RUN: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
      RUN: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe


      **** Browser Helper Objects ****

      BHO: [AcroIEHlprObj Class] C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
      BHO: [] C:\PROGRA~1\SPYBOT~1\SDHelper.dll
      BHO: [Google Toolbar Helper] c:\program files\google\googletoolbar1.dll
      BHO: [CNavExtBho Class] C:\Program Files\Norton AntiVirus\NavShExt.dll


      **** IE Toolbars ****

      TOOLBAR: [&Radio] C:\WINDOWS\System32\msdxm.ocx
      TOOLBAR: [Norton AntiVirus] C:\Program Files\Norton AntiVirus\NavShExt.dll
      TOOLBAR: [&Google] c:\program files\google\googletoolbar1.dll


      **** IE Extensions ****



      **** Hosts File Entries ****

      HOSTS: 127.0.0.1 localhost
      HOSTS: 127.0.0.1 localhost


      **** IE Settings ****

      Default Page: http://www.microsoft.com/isapi
      edir.dll?prd=ie&pver=6&ar=msnhome
      Default Search: http://www.microsoft.com/isapi
      edir.dll?prd=ie&ar=iesearch
      Local Page: C:\WINDOWS\System32\blank.htm
      Search Page: http://www.microsoft.com/isapi
      edir.dll?prd=ie&ar=iesearch


      **** IE Context Menu (Right click) ****

      IEContext: [&Google Search] res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
      IEContext: [Gelijkwaardige pagina's] res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
      IEContext: [Koppelingspagina's] res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
      IEContext: [Opgeslagen momentopname van de pagina] res://c:\program files\google\GoogleToolbar1.dll/cmcache.html


      **** Layered Service Providers ****

      LSP: MSAFD Tcpip [TCP/IP]
      LSP: MSAFD Tcpip [UDP/IP]
      LSP: RSVP UDP Service Provider
      LSP: RSVP TCP Service Provider
      LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9E902465-73F8-4504-A239-5F7023820E52}] SEQPACKET 3
      LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9E902465-73F8-4504-A239-5F7023820E52}] DATAGRAM 3
      LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{019632E5-5CA0-4799-BE7E-40B9F77DED80}] SEQPACKET 0
      LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{019632E5-5CA0-4799-BE7E-40B9F77DED80}] DATAGRAM 0
      LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CA653415-C435-4868-9695-CD59377BF273}] SEQPACKET 1
      LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CA653415-C435-4868-9695-CD59377BF273}] DATAGRAM 1
      LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{3733F8C4-DF3A-4A44-ADBD-5A306A627852}] SEQPACKET 2
      LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{3733F8C4-DF3A-4A44-ADBD-5A306A627852}] DATAGRAM 2


      **** Blocked Control Panel Items ****

      BLOCKED: [ncpa.cpl] No
      BLOCKED: [odbccp32.cpl] No


      **** Downloaded Program Files ****

      DirectAnimation Java Classes [file://C:\WINDOWS\Java\classes\dajava.cab]
      Microsoft XML Parser for Java [file://C:\WINDOWS\Java\classes\xmldso.cab]
      ppctlcab [http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab] C:\WINDOWS\Downloaded Program Files\ppctl.dll
      {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} [http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab] C:\WINDOWS\Downloaded Program Files
      avapi32.dll C:\WINDOWS\Downloaded Program Files\avsniff.dll
      {2FC9A21E-2069-4E47-8235-36318989DB13} [http://ppupdates.ca.com/downloads/scanner/axscanner.cab]
      {644E432F-49D3-41A1-8DD5-E099162EEEC5} [http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab]
      {8B1BC605-C593-4865-8F5B-05517F0CD0BB} [file://H:\Content\include\msSecUcd.cab]
      {9F1C11AA-197B-4942-BA54-47A8489BB47F} [http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38173.3278240741]
      {D27CDB6E-AE6D-11CF-96B8-444553540000} [http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab]


      **** Custom IE Search Items ****

      SEARCH: [SearchAssistant] http://www.google.com/ie
      SEARCH: [CustomizeSearch] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
      [/b:49277721d4][/list:u:49277721d4]
  • Hallo Serendip,

    Voor je nog meer logs gaat posten, kan of wil je eerst even antwoorden op de vragen in mijn vorige post?
    Dit Ad-Aware logje is proper.
    Met welk progje heb je dat bewuste logje dat die "infecties" geeft gemaakt?

    groeten,
    Marc
  • Serendip,

    Geef me een momentje.
    Ik knutsel even wat in elkaar voor je.
  • Serendip,

    Die "sais" kon je niet vinden, dat was mijn foutje.
    Die anderen gaan we nu toevoegen aan de zone Websites met beperkte toegang.
    Sais gaan we verwijderen.

    Open kladblok. Kopieer onderstaande quote in het kladblokbestand.
    Sla het op als fix.reg op je bureaublad. Zorg dat bij Opslaan als type "Alle bestanden" geselecteerd is.
    Dubbelklik erop en sta toe om de wijzigingen aan het register toe te voegen.
    [quote:6f2e546895]
    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchsquire.com]
    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com]
    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\slotch.com]
    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxxtoolbar.com]
    "*"=dword:00000004

    [-HKEY_CURRENT_USER\Software\sais]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\sais]

    [/quote:6f2e546895]
    Mijn vraag blijft, met welk progje je dat log gemaakt hebt?

    groeten,
    Marc
  • Hallo M@rk,
    Antwoord op je vraag: het logje is gemaakt in Spysubtract Intermute.
    groet,
    serendip
  • [list:dc263906b8][b:dc263906b8]
    Hallo M@rk,
    Sorry dat ik je de namen niet heb doorgegeven van de progs waar ik mee scan. Dit zijn ze: Ad-Aware, Spybot, Spyware Docter, SpySubtraat, CWShredder en VX2Finder. Met Ad-Aware, Spybot en VX2Finder heb ik de spys steeds verwijderd, maar met sommige lukte dat niet blijvend.
    Volgens je duidelijke aanwijzingen heb ik meerdere vliegen in een klap geslagen. Met fix.reg ging het flitsend. Fijn dat je me zo goed helpt.
    Groet,
    serendip
    [/b:dc263906b8][/list:u:dc263906b8]
  • Hallo Serendip,

    Graag gedaan hoor.
    Ik neem aan dat het probleem nu opgelost is?

    groeten,
    Marc
  • [list:d930e94ff2][b:d930e94ff2]
    Hallo M@rk,
    Ik vrees dat ik je hulp nog wel even nodig heb. Ik heb uitgevoerd wat je schreef, behalve dat wordpad geen ”alle bestanden” had, daarom sloeg ik fix.reg op als tekstbestand. Na uitvoeren wat je aangaf zag ik ze staan in “websites met beperkte toegang” en in het register was sais verdwenen. Je schreef niet dat de 4 betreffende bestanden die je opgaf uit het register verwijderd zouden zijn en dat is ook niet zo.

    Na een scan met Spyware Docter:
    Slotchbar

    Altnet software
    RealPlayer search Bar
    Xxxtoolbar 2x
    Zango Search Assistant 5x
    C-Dilla
    Virtual Bouncer registry scanner, adware 8x

    - Ze verwijzen allemaal naar elkaar behalve RealPlayer
    - Xxxtoolbar verwijst naar HKLM\So\Policies\Avenue Media net als Zango en naar HKCU\So\Ms\IE\Explorer Bars\{nummer}
    - De Zango's verwijzen naar i lookup.com, teensguru.com, xxxtoolbar en Avenue Media;
    -
    - RealPlayer searchbar verwijst nog steeds naar C:\PF\CF\Real\Update_OB\realsched.exe; deze wordt door veel programma’s als gevaarlijk aangegeven. Hij verwijdert hem telkens midden in de check, anders gaat hij niet verder. De volgende keer staat hij er weer.
    -
    - C-dilla HKLM\Software\Co7ft5Y safedisc RefCount
    -
    Er staan nog wel vele namen van spyware in het register. Wellicht ben je er van uitgegaan dat ik na gebruik van de spywareprogramma’s alles wat ze vonden ook verwijderde. Maar dat deed ik juist niet, omdat ik gemerkt had dat ze toch weer terug kwamen, zoals ik je al schreef. Ook de spyware in Ad-Aware die ik je vrijdag 26-11 stuurde, verwijderde ik niet. Als ik alles hieruit kan verwijderen doe ik dat meteen als je dat schrijft.

    Groet,
    serendip
    [/b:d930e94ff2][/list:u:d930e94ff2]

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.