Op deze website gebruiken we cookies om content en advertenties te personaliseren, om functies voor social media te bieden en om ons websiteverkeer te analyseren. Ook delen we informatie over uw gebruik van onze site met onze partners voor social media, adverteren en analyse. Deze partners kunnen deze gegevens combineren met andere informatie die u aan ze heeft verstrekt of die ze hebben verzameld op basis van uw gebruik van hun services. Meer informatie.

Akkoord

Vraag & Antwoord

Beveiliging & privacy

wil iemand deze Hijack log bekijken?

diabolo
3 antwoorden
  • Logfile of HijackThis v1.99.1
    Scan saved at 16:43:22, on 10-3-2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Mixer.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb01.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\System32
    vsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\Kris\Mijn documenten\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://64.124.210.131/index.php?qq=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://64.124.210.131/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://64.124.210.131/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://64.124.210.131/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://64.124.210.131
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://64.124.210.131/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://64.124.210.131/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://64.124.210.131/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://64.124.210.131/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://64.124.210.131/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://64.124.210.131/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://64.124.210.131/
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: ohb - {22B720C7-5FA6-40A8-9F8F-8584BF669690} - C:\WINDOWS\System32\trgen.dll
    O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\System32\winb2s32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\t.dll
    O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\System32\winb2s32.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb01.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Exif Launcher.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin
    pjpi142_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin
    pjpi142_06.dll
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\grlyoja.exe
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/156cf5c88794159f5716/netzip/RdxIE601.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32
    vsvc32.exe
  • Ik zal kijken of ik een recept kan uitschrijven voor deze PC.
    Er staat nl Begin2Search en FreshBar bar op die niet alleen via hijackthis kunnen worden verwijderd.

    Sjaak
  • Kijk of je het proces host.exe kan beëindigen (CTRL-ALT-DEL) en dan onder het tabblad processen.

    copieer de volgende regel:
    [b:61030979c1]regsvr32 /u C:\Windows\System32\winb2s32.dll
    [/b:61030979c1]
    Klik op Start -> Uitvoeren: plak nu de regel (CTRL-V)

    Copieer de volgende code naar notepad:
    [code:1:61030979c1]
    REGEDIT4

    [-HKEY_CLASSES_ROOT\winb2s.dbi.1]
    [-HKEY_CLASSES_ROOT\winb2s.dbi]
    [-HKEY_CLASSES_ROOT\winb2s.iiittt.1]
    [-HKEY_CLASSES_ROOT\winb2s.iiittt]
    [-HKEY_CLASSES_ROOT\winb2s.momo.1]
    [-HKEY_CLASSES_ROOT\winb2s.momo]
    [-HKEY_CLASSES_ROOT\winb2s.ohb.1]
    [-HKEY_CLASSES_ROOT\winb2s.ohb]
    [-HKEY_CLASSES_ROOT\winb2s.amo.1]
    [-HKEY_CLASSES_ROOT\winb2s.amo]
    [-HKEY_CLASSES_ROOT\CLSID\{52FE5233-367C-4EFB-BDD7-0BE4D212C107}]
    [-HKEY_CLASSES_ROOT\CLSID\{07E9CDF4-20D2-46B1-B681-663968F527CE}]
    [-HKEY_CLASSES_ROOT\CLSID\{7C5E5671-7A1D-4AE8-91F0-496ADF2825F7}]
    [-HKEY_CLASSES_ROOT\CLSID\{4D568F0F-8AC9-40AB-88B7-415134C78777}]
    [-HKEY_CLASSES_ROOT\CLSID\{09C14745-90FD-42D1-9276-4924D7DBC274}]
    [-HKEY_CLASSES_ROOT\TypeLib\{081DE2F6-927B-4AA9-88C1-F531C9387383}]
    [-HKEY_CLASSES_ROOT\Interface\{A797A41D-F9F0-4A32-B9B5-AF927CB5AE54}]
    [-HKEY_CLASSES_ROOT\Interface\{B12508AD-CA55-4238-8DB3-55808BA6915A}]
    [-HKEY_CLASSES_ROOT\Interface\{F912C325-5B26-4AD6-BF39-84370833E972}]
    [-HKEY_CLASSES_ROOT\Interface\{BF7CB2C3-55B6-44C1-9615-920D004C27F7}]
    [-HKEY_CLASSES_ROOT\Interface\{6FE4AADF-EDAC-4037-9164-0B60179A4F12}]
    [-HKEY_CLASSES_ROOT\Interface\{17973BD7-959C-4D8A-8B2F-AB200E20A75E}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.amo]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.amo.1]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.iiittt]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.iiittt.1]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.momo]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.momo.1]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.ohb]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.ohb.1]
    [-HKEY_ALL_USERS\Software\_dsktptr]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6024FCD5-91FC-4DC7-8481-63EABD5051D8}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E4776F3A-6936-4A9C-B2DA-E57C239FD2F8}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FF81672F-13FF-401F-8662-6E895C564CC4}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D568F0F-8AC9-40AB-88B7-415134C78777}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\code store database\distribution units\{07e9cdf4-20d2-46b1-b681-663968f527ce}\winb2s.dbi.1]
    [-HKEY_CURRENT_USER\SOFTWARE\aaa_soft][/code:1:61030979c1]
    Sla dit op het bureaublad met de naam fixme.reg
    Opslaan als type: [b:61030979c1]Alle bestanden[/b:61030979c1]

    Start dit bestand nog niet op!

    Print onderstaande tekst uit want de PC moet in VEILIGE mode worden herstart en dan heb je geen internet om dit te bekijken.

    Herstart de PC in VEILIGE MODE. Dat is op F8 als de computer weer gaat opstarten.

    Start nu hijackthis en selecteer de volgende items:

    [b:61030979c1]R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://64.124.210.131/index.php?qq=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://64.124.210.131/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://64.124.210.131/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://64.124.210.131/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://64.124.210.131
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://64.124.210.131/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://64.124.210.131/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://64.124.210.131/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://64.124.210.131/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://64.124.210.131/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://64.124.210.131/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://64.124.210.131/
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    O2 - BHO: ohb - {22B720C7-5FA6-40A8-9F8F-8584BF669690} - C:\WINDOWS\System32\trgen.dll
    O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\System32\winb2s32.dll
    O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\t.dll
    O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\System32\winb2s32.dll
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\grlyoja.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/156cf5c88794159f5716/netzip/RdxIE601.cab
    [/b:61030979c1]

    Sluit nu alle vensters behalve hijackthis en klik op "Fix checked"

    Verwijder nu de volgende bestanden:
    Zorg dat je ook de systeembesturings- en verborgen bestanden kunt zien.

    C:\Windows\System32\t.dll
    C:\Windows\System32\winb2s32.dll
    C:\Windows\System32\dsktrf.dll
    C:\Windows\System32\reg6523.exe
    C:\Windows\System32\trgen.dll
    C:\Windows\System32\b2s_cache\ (gehele directory)
    C:\Windows\downloaded program files\winb2s32.inf
    C:\Program Files\Internet Explorer\grlyoja.exe

    Zoek en verwijder ook nog de volgende bestanden:
    host.exe, menu.txt en date.dat (mogelijk ook in C:\Windows\System32)
    Voer nu het bestand fixme.reg uit.
    Laat te aan het register toevoegen.

    Herstart de computer en maak een nieuw log met hijackthis en post dat.
    Geef ook aan welke bestanden je niet kon verwijderen.

    Sjaak

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.