Op deze website gebruiken we cookies om content en advertenties te personaliseren, om functies voor social media te bieden en om ons websiteverkeer te analyseren. Ook delen we informatie over uw gebruik van onze site met onze partners voor social media, adverteren en analyse. Deze partners kunnen deze gegevens combineren met andere informatie die u aan ze heeft verstrekt of die ze hebben verzameld op basis van uw gebruik van hun services. Meer informatie.

Akkoord

Vraag & Antwoord

Beveiliging & privacy

Onbekende Spyware? Wie wil mijn HJT logje checken?

Anoniem
juisterr
12 antwoorden
  • Een kennis van mij heeft een PC die steeds ongevraagd ongewenste websites laat zien. Ik heb al met ad-aware en Spybot S&D gescant en critical objects verwijderd. Ook NOD32 heeft e.e.a. verwijderd. De infectie zit er toch nog steeds in. :(

    Is versie 2 van Hijackthis beter ? Toch maar 1.99.1 gebruikt:

    ————————————————————————-
    Logfile of HijackThis v1.99.1
    Scan saved at 10:01:05, on 12-5-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    C:\Program Files\Eset
    od32krn.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Documents and Settings\Jaap\Mijn documenten\Winamp\winampa.exe
    C:\WINDOWS\system32\pwinmodv.exe
    C:\Program Files\Eset
    od32kui.exe
    C:\Program Files\iPod\bin\iPodService.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.EXE" /APPLY
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [WinampAgent] C:\Documents and Settings\Jaap\Mijn documenten\Winamp\winampa.exe
    O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\pwinmodv.exe CHA001
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset
    od32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\dciskmnm.dll",realset
    O4 - HKCU\..\Run: [trans sect] C:\DOCUME~1\Coen\APPLIC~1\PLUSST~1\default team bore.exe
    O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\pwinmodv.exe
    O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
    O4 - Global Startup: SpeedTouch 120g Wireless USB Monitor.lnk = C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin
    pjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin
    pjpi142_03.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.mijnalbum.nl/skin/system/upload/ImageUploader3.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4925/mcfscan.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset
    od32krn.exe
    ———————————————————————————–
    Wie kan deze log even checken?
    Al vast reuze bedankt!





  • Download [b:9dc0ca2eaf]Combofix[/b:9dc0ca2eaf] naar je Bureaublad.
    Dubbelklik [b:9dc0ca2eaf]Combofix.exe[/b:9dc0ca2eaf]
    Volg de instructies, aanvaard de disclaimer door "y" of "Y" te typen.
    Tijdens het runnen van de fix, [b:9dc0ca2eaf]NIET[/b:9dc0ca2eaf] in het venster klikken, want dit zal je pc doen vasthangen.

    Wanneer de fix voltooid is en na herstart, zal de log [b:9dc0ca2eaf]combofix.txt[/b:9dc0ca2eaf] openen.
    Plaats dit log in je volgende post samen met een nieuw HijackThis log.

    NOTA: Indien je virusscanner reageert met een melding van een scriptuitvoering, mag je dit negeren.


    Start Hijackthis op en kies voor 'Do a system scan only'
    Selecteer alleen de items die hieronder zijn genoemd:
    [b:9dc0ca2eaf]
    O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\dciskmnm.dll",realset
    O4 - HKCU\..\Run: [trans sect] C:\DOCUME~1\Coen\APPLIC~1\PLUSST~1\default team bore.exe
    [/b:9dc0ca2eaf]
    Klik op 'Fix checked' om de items te verwijderen.

    Open de verkenner ("Mijn Computer";) en kies [b:9dc0ca2eaf]Extra[/b:9dc0ca2eaf] -> [b:9dc0ca2eaf]Mapopties…[/b:9dc0ca2eaf]
    Controleer onder [b:9dc0ca2eaf]Weergave[/b:9dc0ca2eaf] de volgende instellingen:

    Uitzetten: Beveiligde besturingssysteembestanden verbergen (aanbevolen)
    Uitzetten: Extensies voor bekende bestandstypen verbergen

    Selecteer: De inhoud van systeemmappen weergeven (alleen bij XP)
    Selecteer: Verborgen bestanden en mappen weergeven

    Verwijder de volgende directories:
    C:\DOCUME~1\Coen\APPLIC~1\[b:9dc0ca2eaf]PLUSST~1[/b:9dc0ca2eaf]\

    [b:9dc0ca2eaf]
  • Oke, ik heb alles gedaan:

    Start Time= zo 13-05-2007 19:12:50,21

    QuickScan did not find any signs of infected files

    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-05-12 10:00:14 931 ( A…. ) "C:\WINDOWS\system32\winpfz32.sys"
    2007-05-12 10:00:14 931 ( A…. ) "C:\WINDOWS\system32\winpfz32.sys"
    2007-05-12 09:59:32 49204 ( A…. ) "C:\WINDOWS\system32\tkptcsfk.dll"
    2007-05-12 09:59:30 132660 ( A…. ) "C:\WINDOWS\system32\dciskmnm.dll"
    2007-05-10 09:25:38 49204 ( A…. ) "C:\WINDOWS\system32\koknarhy.dll"
    2007-05-10 09:17:58 2 ( A…. ) "C:\WINDOWS\system32\wcpit.exe"
    2007-05-10 08:57:16 ( .D… ) "C:\Program Files\Enigma Software Group"
    2007-05-06 12:56:30 2 ( A…. ) "C:\WINDOWS\system32\wcpicomsv.exe"
    2007-04-27 22:45:12 14970328 ( A…. ) "C:\WINDOWS\system32\MRT.exe"
    2007-04-18 20:24:34 49204 ( A…. ) "C:\WINDOWS\system32\kkjujbkn.dll"
    2007-03-28 21:21:42 26730 ( A…. ) "C:\WINDOWS\system32\tuvuvuu.dll"
    2007-03-28 21:21:42 26730 ( A…. ) "C:\WINDOWS\system32\opnljkh.dll"
    2007-03-28 21:21:40 31844 ( ….. ) "C:\WINDOWS\system32\jkklk.exe"
    2007-03-20 17:00:12 ( .D… ) "C:\Program Files\Windows Media Connect 2"
    2007-03-17 15:45:54 293376 ( A…. ) "C:\WINDOWS\system32\winsrv.dll"
    2007-03-15 12:23:16 497496 ( A…. ) "C:\WINDOWS\system32\XceedZip.dll"
    2007-03-15 12:19:58 526184 ( A…. ) "C:\WINDOWS\system32\XceedCry.dll"
    2007-03-14 16:29:56 274432 ( A…. ) "C:\WINDOWS\system32\imon.dll"
    2007-03-14 16:18:38 9 ( A…. ) "C:\WINDOWS\system32
    ldsrego.exe"
    2007-03-14 16:07:10 184439 ( A…. ) "C:\WINDOWS\system32\pwinmodv.exe"
    2007-03-14 15:53:44 ( .D… ) "C:\Program Files\Common Files\{04037571-0BB0-1043-0525-05050621001f}"
    2007-03-14 15:30:44 ( .D… ) "C:\Program Files\hijackthis"
    2007-03-14 15:25:46 ( .D… ) "C:\Program Files\Lavasoft"
    2007-03-14 15:25:22 ( .D… ) "C:\Program Files\Common Files\Wise Installation Wizard"
    2007-03-14 15:23:44 ( .D… ) "C:\Documents and Settings\Coen\Application Data\U3"
    2007-03-14 15:22:44 114 ( A…. ) "C:\hhjj.bat"
    2007-03-14 15:22:28 203149 ( A…. ) "C:\lo.exe"
    2007-03-14 15:21:14 32768 ( A…. ) "C:\setup9x.exe"
    2007-03-09 12:24:16 122880 ( A…. ) "C:\WINDOWS\system32\xpsp3res.dll"
    2007-03-08 17:39:10 579072 ( A…. ) "C:\WINDOWS\system32\user32.dll"
    2007-03-08 17:39:10 281600 ( A…. ) "C:\WINDOWS\system32\gdi32.dll"
    2007-03-08 17:39:10 40960 ( A…. ) "C:\WINDOWS\system32\mf3216.dll"
    2007-03-08 17:38:00 1843712 ( A…. ) "C:\WINDOWS\system32\win32k.sys"
    2007-03-04 19:10:30 147456 ( A…. ) "C:\WINDOWS\system32\vbzip10.dll"
    2007-03-04 18:59:12 282212 ( ..SH. ) "C:\WINDOWS\system32\gebyy.dll"
    2007-03-04 18:58:36 282212 ( ..SH. ) "C:\WINDOWS\system32\jkkll.dll"
    2007-03-04 18:52:48 26685 ( ..SH. ) "C:\WINDOWS\system32\jkhhhgh.dll"
    2007-03-04 18:52:26 77 ( A…. ) "C:\WINDOWS\system32
    .bat"
    2007-03-04 18:52:22 26685 ( ..SH. ) "C:\WINDOWS\system32\yabyvuv.dll"
    2007-03-04 18:52:14 63 ( A…. ) "C:\WINDOWS\system32\yyd.bat"
    2007-03-04 18:52:00 26685 ( ..SH. ) "C:\WINDOWS\system32\jkkhfgg.dll"
    2007-03-04 18:51:56 35328 ( A…. ) "C:\WINDOWS\system32\xtz.exe"
    2007-03-04 18:51:34 90112 ( A…. ) "C:\WINDOWS\system32\smsc.exe"
    2007-03-04 18:51:02 32768 ( A…. ) "C:\WINDOWS\system32\setup9X.exe"
    2007-03-04 12:09:40 40321 ( A…. ) "C:\WINDOWS\system32\adspipe-uninst.exe"
    2007-02-28 18:05:06 2140672 ( A…. ) "C:\WINDOWS\system32
    toskrnl.exe"
    2007-02-28 18:05:04 2020352 ( A…. ) "C:\WINDOWS\system32
    tkrnlpa.exe"
    2007-02-23 12:14:44 61440 ( A…. ) "C:\WINDOWS\system32\adspipe.dll"
    2007-02-22 15:40:24 337280 ( ….. ) "C:\WINDOWS\system32\WgaTray.exe"
    2007-02-22 15:39:48 1476992 ( A…. ) "C:\WINDOWS\system32\LegitCheckControl.dll"
    2007-02-22 15:39:32 236928 ( A…. ) "C:\WINDOWS\system32\WgaLogon.dll"
    2007-02-19 17:05:46 3077632 ( A…. ) "C:\WINDOWS\system32\mshtml.dll"
    2007-02-19 17:05:46 1494528 ( A…. ) "C:\WINDOWS\system32\shdocvw.dll"
    2007-02-19 17:05:46 1057280 ( A…. ) "C:\WINDOWS\system32\danim.dll"
    2007-02-19 17:05:46 1023488 ( A…. ) "C:\WINDOWS\system32\browseui.dll"
    2007-02-19 17:05:46 662016 ( A…. ) "C:\WINDOWS\system32\wininet.dll"
    2007-02-19 17:05:46 616960 ( A…. ) "C:\WINDOWS\system32\urlmon.dll"
    2007-02-19 17:05:46 532480 ( A…. ) "C:\WINDOWS\system32\mstime.dll"
    2007-02-19 17:05:46 474624 ( A…. ) "C:\WINDOWS\system32\shlwapi.dll"
    2007-02-19 17:05:46 449024 ( A…. ) "C:\WINDOWS\system32\mshtmled.dll"
    2007-02-19 17:05:46 357888 ( A…. ) "C:\WINDOWS\system32\dxtmsft.dll"
    2007-02-19 17:05:46 251392 ( A…. ) "C:\WINDOWS\system32\iepeers.dll"
    2007-02-19 17:05:46 205312 ( A…. ) "C:\WINDOWS\system32\dxtrans.dll"
    2007-02-19 17:05:46 151552 ( A…. ) "C:\WINDOWS\system32\cdfview.dll"
    2007-02-19 17:05:46 146432 ( A…. ) "C:\WINDOWS\system32\msrating.dll"
    2007-02-19 17:05:46 96768 ( A…. ) "C:\WINDOWS\system32\inseng.dll"
    2007-02-19 17:05:46 55808 ( A…. ) "C:\WINDOWS\system32\extmgr.dll"
    2007-02-19 17:05:46 39424 ( A…. ) "C:\WINDOWS\system32\pngfilt.dll"
    2007-02-19 17:05:46 16384 ( A…. ) "C:\WINDOWS\system32\jsproxy.dll"
    2006-05-17 08:20:56 17 ( A…. ) "C:\Program Files\d.bat"


    ((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries are not shown

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\iaanotif.exe"
    "SigmatelSysTrayApp"="stsystra.exe"
    "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
    "DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
    "ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
    "ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
    "BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
    "PRISMSVR.EXE"="\"C:\\Program Files\\Thomson SpeedTouch\\SpeedTouch 120g Wireless USB Monitor\\PRISMSVR.EXE\" /APPLY"
    "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
    "WinampAgent"="C:\\Documents and Settings\\Jaap\\Mijn documenten\\Winamp\\winampa.exe"
    "ExploreUpdSched"="C:\\WINDOWS\\system32\\pwinmodv.exe CHA001"
    "nod32kui"="\"C:\\Program Files\\Eset\
    od32kui.exe\" /WAITSERVICE"
    "WindowsUpdate"="rundll32.exe \"C:\\WINDOWS\\system32\\dciskmnm.dll\",realset"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\AutorunsDisabled]
    "01OnceModeProgram"="C:\\Documents and Settings\\All Users\\Application Data\\bags math 01 once\\List Bird.exe"
    "dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
    "DMXLauncher"="C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"
    "Hitman Pro Expiration Helper"="\"C:\\Program Files\\Hitman Pro\\xphelper.exe\""
    "Nfo"="C:\\WINDOWS\\system32\
    fomon\
    fomon.exe"
    "SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "New.net Startup"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~1.DLL,ClientStartup -s"
    "adstart"="C:\\WINDOWS\\System32\\Rundll32.exe \"C:\\WINDOWS\\system32\\adspipe.dll\" DllVerify"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "trans sect"="C:\\DOCUME~1\\Coen\\APPLIC~1\\PLUSST~1\\default team bore.exe"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\AutorunsDisabled]
    "Steam"="\"C:\\Program Files\\Spellen\\Steam\\Steam.exe\" -silent"
    "trans sect"="C:\\DOCUME~1\\Coen\\APPLIC~1\\PLUSST~1\\default team bore.exe"
    "Chckup"="C:\\WINDOWS\\system32\\Netverchk.exe"

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
    "{04037571-0BB0-1043-0525-05050621001f}"="\"C:\\Program Files\\Common Files\\{04037571-0BB0-1043-0525-05050621001f}\\Update.exe\" mc-110-12-0000140"

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
    "CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]
    "{04037571-0BB0-1043-0525-05050621001f}"="\"C:\\Program Files\\Common Files\\{04037571-0BB0-1043-0525-05050621001f}\\Update.exe\" mc-110-12-0000140"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Preloader van browseui"
    "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Cache-daemon voor onderdeelcategorieën"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
    "{182B90A3-F372-438A-800C-6814B4DE417B}"=""


    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\ACD1D24890064BD0.job

    Completion time: zo 13-05-2007 19:13:08,23
    ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt



    ===========

    Logfile of HijackThis v1.99.1
    Scan saved at 19:36:44, on 13-5-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    C:\Program Files\Eset
    od32krn.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Documents and Settings\Jaap\Mijn documenten\Winamp\winampa.exe
    C:\WINDOWS\system32\pwinmodv.exe
    C:\Program Files\Eset
    od32kui.exe
    C:\Program Files\iPod\bin\iPodService.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    E:\totalcmd\TOTALCMD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\msiexec.exe
    c:\Program Files\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.EXE" /APPLY
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [WinampAgent] C:\Documents and Settings\Jaap\Mijn documenten\Winamp\winampa.exe
    O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\pwinmodv.exe CHA001
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset
    od32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKCU\..\Run: [trans sect] C:\DOCUME~1\Coen\APPLIC~1\PLUSST~1\default team bore.exe
    O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\pwinmodv.exe
    O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
    O4 - Global Startup: SpeedTouch 120g Wireless USB Monitor.lnk = C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.mijnalbum.nl/skin/system/upload/ImageUploader3.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4925/mcfscan.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset
    od32krn.exe


    ——————————


    ——————————————————–
    BACKUPS CREATED in C:\DELJOB

    ACD1D24890064BD0.job
    ——————————————————–
    FILES IN TASKS FOLDER

    ——————————————————–
    EXPORT APP DATA FOLDERS

    Het volume in station C heeft geen naam.
    Het volumenummer is 0403-7571

    Map van C:\Documents and Settings\Coen\Application Data

    13-05-2007 19:33 <DIR> .
    13-05-2007 19:33 <DIR> ..
    27-09-2005 19:31 <DIR> Adobe
    21-10-2006 11:25 <DIR> AdobeUM
    10-03-2006 13:49 <DIR> APPLEC~1 Apple Computer
    21-06-2006 17:37 <DIR> Atari
    23-05-2006 23:08 <DIR> Autodesk
    04-03-2007 19:14 <DIR> BITDOW~1 BitDownload
    12-07-2006 10:30 <DIR> CYBERL~1 CyberLink
    29-04-2006 12:20 <DIR> Help
    14-09-2004 09:56 <DIR> IDENTI~1 Identities
    16-09-2005 00:13 <DIR> JASCSO~1 Jasc Software Inc
    14-03-2007 15:25 <DIR> Lavasoft
    07-10-2005 14:14 <DIR> MACROM~1 Macromedia
    23-06-2006 14:31 <DIR> MICROS~1 Microsoft
    11-03-2006 13:16 <DIR> MICROS~2 Microsoft Web Folders
    13-05-2007 19:33 <DIR> PLUSST~1 plus store test
    16-09-2005 00:07 <DIR> Sun
    27-09-2005 19:20 <DIR> Symantec
    14-03-2007 15:39 <DIR> U3
    0 bestand(en) 0 bytes
    20 map(pen) 90.312.933.376 bytes beschikbaar
    Het volume in station C heeft geen naam.
    Het volumenummer is 0403-7571

    Map van C:\Documents and Settings\All Users\Application Data

    08-03-2007 18:49 <DIR> .
    08-03-2007 18:49 <DIR> ..
    21-10-2006 11:25 <DIR> Adobe
    02-02-2006 22:41 <DIR> APPLEC~1 Apple Computer
    23-06-2006 15:49 <DIR> Autodesk
    06-03-2007 15:05 <DIR> BAGSMA~1 bags math 01 once
    10-01-2006 14:41 <DIR> DELLPH~1 Dell Photo Printer 720
    16-09-2005 00:13 <DIR> INSTAL~1 InstallShield
    15-11-2006 20:11 <DIR> MICROS~1 Microsoft
    30-11-2005 12:47 <DIR> Prism
    20-12-2005 16:00 <DIR> SONYER~1 Sony Ericsson
    29-12-2006 15:18 <DIR> SPYBOT~1 Spybot - Search & Destroy
    14-03-2007 15:47 <DIR> Symantec
    08-03-2007 18:51 <DIR> TEMP
    10-05-2006 13:18 <DIR> WINDOW~1 Windows Genuine Advantage
    22-12-2005 18:11 <DIR> YAHOO!~1 Yahoo! Companion
    0 bestand(en) 0 bytes
    16 map(pen) 90.312.933.376 bytes beschikbaar
    ——————————————————–










  • Start Hijackthis op en kies voor 'Do a system scan only'
    Selecteer alleen de items die hieronder zijn genoemd:
    [b:ded237ccca]
    O4 - HKCU\..\Run: [trans sect] C:\DOCUME~1\Coen\APPLIC~1\PLUSST~1\default team bore.exe
    [/b:ded237ccca]
    Klik op 'Fix checked' om de items te verwijderen.

    Open de verkenner ("Mijn Computer";) en kies [b:ded237ccca]Extra[/b:ded237ccca] -> [b:ded237ccca]Mapopties…[/b:ded237ccca]
    Controleer onder [b:ded237ccca]Weergave[/b:ded237ccca] de volgende instellingen:

    Uitzetten: Beveiligde besturingssysteembestanden verbergen (aanbevolen)
    Uitzetten: Extensies voor bekende bestandstypen verbergen

    Selecteer: De inhoud van systeemmappen weergeven (alleen bij XP)
    Selecteer: Verborgen bestanden en mappen weergeven

    Verwijder de volgende directories:
    C:\DOCUME~1\Coen\APPLIC~1\[b:ded237ccca]PLUSST~1[/b:ded237ccca]\

    Download dit bestand:
    [b:ded237ccca]Deljob.exe[/b:ded237ccca]
    Plaats het op je bureaublad.
    Indien je virusscanner de download van deljob.exe blokkeert,
    schakel dan tijdelijk je virusscanner uit of download de zip-versie
    [b:ded237ccca]deljob.zip[/b:ded237ccca]
    en pak deze uit naar je Bureaublad.
    Dubbelklik [b:ded237ccca]Deljob.exe[/b:ded237ccca].
    Een logje(logit.txt) zal openen, het bestandje kan je ook terugvinden op je bureaublad.
    Post de inhoud van [b:ded237ccca]logit.txt[/b:ded237ccca] in je volgende bericht.


    Download [b:ded237ccca]VirtumundoBegone[/b:ded237ccca], sla dit op op je bureaublad.
    Dubbelklik op [b:ded237ccca]VirtumundoBeGone.exe[/b:ded237ccca] en volg de aanwijzingen.
    Schrik niet als je een blauw scherm met een foutmelding te zien krijgt - dit is normaal.

    Als de fix klaar is, start je de pc opnieuw op.
    Plaats de inhoud van het logbestand [b:ded237ccca]VBG.TXT[/b:ded237ccca], dat nu op je bureaublad staat, hier in je volgende bericht.
  • juisterr, heel erg bedankt voor de hulp! Je bent er maar druk mee! :)

    Ik had de volgende regel al verwijderd, maar deze is weer terug gekomen :

    O4 - HKCU\..\Run: [trans sect] C:\DOCUME~1\Coen\APPLIC~1\PLUSST~1\default team bore.exe


    Morgen zal ik een nieuwe poging doen Werkt het in de veilige misschien beter? Er staan ook meerdere gebruikers op deze PC, misschien moet er ook per gebruiker gescant worden?
    Ik heb ook geen antwoord of de nieuwe versie van Hijackthis beter is.
  • Beta als in nieuw en nog met (mogelijke)foutjes.

    Volg de aanwijzingen en plaats daarna van elke gebruiker een HJT logje aub.
  • Er zit nog steed gespuis op deze PC. Ik krijg nu een popup window naar : http://www.leasy.nl/?sstlcmpid=8899

    Hier de logjes.

    [05/14/2007, 14:31:12] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Coen\Bureaublad\VirtumundoBeGone.exe" )
    [05/14/2007, 14:31:17] - Detected System Information:
    [05/14/2007, 14:31:17] - Windows Version: 5.1.2600, Service Pack 2
    [05/14/2007, 14:31:17] - Current Username: Coen (Admin)
    [05/14/2007, 14:31:17] - Windows is in NORMAL mode.
    [05/14/2007, 14:31:17] - Searching for Browser Helper Objects:
    [05/14/2007, 14:31:17] - BHO 1: AutorunsDisabled ()
    [05/14/2007, 14:31:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [05/14/2007, 14:31:17] - No filename found. Continuing.
    [05/14/2007, 14:31:17] - BHO 2: {01B65A04-0172-4738-A95D-43FE507E86D3} ()
    [05/14/2007, 14:31:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [05/14/2007, 14:31:17] - Checking for HKLM\…\Winlogon\Notify\
    [05/14/2007, 14:31:17] - Key not found: HKLM\…\Winlogon\Notify\, continuing.
    [05/14/2007, 14:31:17] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
    [05/14/2007, 14:31:17] - BHO 4: {182B90A3-F372-438A-800C-6814B4DE417B} ()
    [05/14/2007, 14:31:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [05/14/2007, 14:31:17] - Checking for HKLM\…\Winlogon\Notify\tuvuvuu
    [05/14/2007, 14:31:17] - Found: HKLM\…\Winlogon\Notify\tuvuvuu - This is probably Virtumundo.
    [05/14/2007, 14:31:17] - Assigning {182B90A3-F372-438A-800C-6814B4DE417B} MSEvents Object
    [05/14/2007, 14:31:17] - BHO list has been changed! Starting over…
    [05/14/2007, 14:31:17] - BHO 1: AutorunsDisabled ()
    [05/14/2007, 14:31:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [05/14/2007, 14:31:17] - No filename found. Continuing.
    [05/14/2007, 14:31:17] - BHO 2: {01B65A04-0172-4738-A95D-43FE507E86D3} ()
    [05/14/2007, 14:31:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [05/14/2007, 14:31:17] - Checking for HKLM\…\Winlogon\Notify\
    [05/14/2007, 14:31:17] - Key not found: HKLM\…\Winlogon\Notify\, continuing.
    [05/14/2007, 14:31:17] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
    [05/14/2007, 14:31:17] - BHO 4: {182B90A3-F372-438A-800C-6814B4DE417B} (MSEvents Object)
    [05/14/2007, 14:31:17] - ALERT: Found MSEvents Object!
    [05/14/2007, 14:31:17] - BHO 5: {53707962-6F74-2D53-2644-206D7942484F} ()
    [05/14/2007, 14:31:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [05/14/2007, 14:31:17] - Checking for HKLM\…\Winlogon\Notify\SDHelper
    [05/14/2007, 14:31:17] - Key not found: HKLM\…\Winlogon\Notify\SDHelper, continuing.
    [05/14/2007, 14:31:17] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [05/14/2007, 14:31:17] - BHO 7: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
    [05/14/2007, 14:31:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [05/14/2007, 14:31:17] - No filename found. Continuing.
    [05/14/2007, 14:31:17] - BHO 8: {BF875E3E-129B-4C49-93E9-25718875583F} ()
    [05/14/2007, 14:31:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [05/14/2007, 14:31:17] - Checking for HKLM\…\Winlogon\Notify\gebyy
    [05/14/2007, 14:31:17] - Found: HKLM\…\Winlogon\Notify\gebyy - This is probably Virtumundo.
    [05/14/2007, 14:31:17] - Assigning {BF875E3E-129B-4C49-93E9-25718875583F} MSEvents Object
    [05/14/2007, 14:31:17] - BHO list has been changed! Starting over…
    [05/14/2007, 14:31:17] - BHO 1: AutorunsDisabled ()
    [05/14/2007, 14:31:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [05/14/2007, 14:31:17] - No filename found. Continuing.
    [05/14/2007, 14:31:17] - BHO 2: {01B65A04-0172-4738-A95D-43FE507E86D3} ()
    [05/14/2007, 14:31:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [05/14/2007, 14:31:17] - Checking for HKLM\…\Winlogon\Notify\
    [05/14/2007, 14:31:17] - Key not found: HKLM\…\Winlogon\Notify\, continuing.
    [05/14/2007, 14:31:17] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
    [05/14/2007, 14:31:17] - BHO 4: {182B90A3-F372-438A-800C-6814B4DE417B} (MSEvents Object)
    [05/14/2007, 14:31:17] - ALERT: Found MSEvents Object!
    [05/14/2007, 14:31:17] - BHO 5: {53707962-6F74-2D53-2644-206D7942484F} ()
    [05/14/2007, 14:31:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [05/14/2007, 14:31:17] - Checking for HKLM\…\Winlogon\Notify\SDHelper
    [05/14/2007, 14:31:17] - Key not found: HKLM\…\Winlogon\Notify\SDHelper, continuing.
    [05/14/2007, 14:31:17] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [05/14/2007, 14:31:17] - BHO 7: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
    [05/14/2007, 14:31:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [05/14/2007, 14:31:17] - No filename found. Continuing.
    [05/14/2007, 14:31:17] - BHO 8: {BF875E3E-129B-4C49-93E9-25718875583F} (MSEvents Object)
    [05/14/2007, 14:31:17] - ALERT: Found MSEvents Object!
    [05/14/2007, 14:31:17] - BHO 9: {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} ()
    [05/14/2007, 14:31:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [05/14/2007, 14:31:17] - Checking for HKLM\…\Winlogon\Notify\tkptcsfk
    [05/14/2007, 14:31:17] - Key not found: HKLM\…\Winlogon\Notify\tkptcsfk, continuing.
    [05/14/2007, 14:31:17] - Finished Searching Browser Helper Objects
    [05/14/2007, 14:31:17] - *** Detected MSEvents Object
    [05/14/2007, 14:31:17] - Trying to remove MSEvents Object…
    [05/14/2007, 14:31:18] - Terminating Process: IEXPLORE.EXE
    [05/14/2007, 14:31:19] - Terminating Process: RUNDLL32.EXE
    [05/14/2007, 14:31:19] - Disabling Automatic Shell Restart
    [05/14/2007, 14:31:19] - Terminating Process: EXPLORER.EXE
    [05/14/2007, 14:31:19] - Suspending the NT Session Manager System Service
    [05/14/2007, 14:31:19] - Terminating Windows NT Logon/Logoff Manager
    [05/14/2007, 14:31:19] - Re-enabling Automatic Shell Restart
    [05/14/2007, 14:31:19] - File to disable: C:\WINDOWS\system32\tuvuvuu.dll
    [05/14/2007, 14:31:19] - Renaming C:\WINDOWS\system32\tuvuvuu.dll -> C:\WINDOWS\system32\tuvuvuu.dll.vir
    [05/14/2007, 14:31:19] - File successfully renamed!
    [05/14/2007, 14:31:19] - Removing HKLM\…\Browser Helper Objects\{182B90A3-F372-438A-800C-6814B4DE417B}
    [05/14/2007, 14:31:19] - Removing HKCR\CLSID\{182B90A3-F372-438A-800C-6814B4DE417B}
    [05/14/2007, 14:31:19] - Adding Kill Bit for ActiveX for GUID: {182B90A3-F372-438A-800C-6814B4DE417B}
    [05/14/2007, 14:31:19] - Deleting ATLEvents/MSEvents Registry entries
    [05/14/2007, 14:31:19] - Removing HKLM\…\Winlogon\Notify\tuvuvuu
    [05/14/2007, 14:31:19] - Searching for Browser Helper Objects:
    [05/14/2007, 14:31:19] - BHO 1: AutorunsDisabled ()
    [05/14/2007, 14:31:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [05/14/2007, 14:31:19] - No filename found. Continuing.
    [05/14/2007, 14:31:19] - BHO 2: {01B65A04-0172-4738-A95D-43FE507E86D3} ()
    [05/14/2007, 14:31:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [05/14/2007, 14:31:19] - Checking for HKLM\…\Winlogon\Notify\
    [05/14/2007, 14:31:19] - Key not found: HKLM\…\Winlogon\Notify\, continuing.
    [05/14/2007, 14:31:19] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
    [05/14/2007, 14:31:19] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} ()
    [05/14/2007, 14:31:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [05/14/2007, 14:31:19] - Checking for HKLM\…\Winlogon\Notify\SDHelper
    [05/14/2007, 14:31:19] - Key not found: HKLM\…\Winlogon\Notify\SDHelper, continuing.
    [05/14/2007, 14:31:19] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [05/14/2007, 14:31:19] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
    [05/14/2007, 14:31:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [05/14/2007, 14:31:19] - No filename found. Continuing.
    [05/14/2007, 14:31:19] - BHO 7: {BF875E3E-129B-4C49-93E9-25718875583F} (MSEvents Object)
    [05/14/2007, 14:31:19] - ALERT: Found MSEvents Object!
    [05/14/2007, 14:31:19] - BHO 8: {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} ()
    [05/14/2007, 14:31:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [05/14/2007, 14:31:19] - Checking for HKLM\…\Winlogon\Notify\tkptcsfk
    [05/14/2007, 14:31:19] - Key not found: HKLM\…\Winlogon\Notify\tkptcsfk, continuing.
    [05/14/2007, 14:31:19] - Finished Searching Browser Helper Objects
    [05/14/2007, 14:31:19] - *** Detected MSEvents Object
    [05/14/2007, 14:31:19] - Trying to remove MSEvents Object…
    [05/14/2007, 14:31:20] - Terminating Process: IEXPLORE.EXE
    [05/14/2007, 14:31:20] - Terminating Process: RUNDLL32.EXE
    [05/14/2007, 14:31:21] - Disabling Automatic Shell Restart
    [05/14/2007, 14:31:21] - Terminating Process: EXPLORER.EXE
    [05/14/2007, 14:31:21] - Suspending the NT Session Manager System Service
    [05/14/2007, 14:31:21] - Terminating Windows NT Logon/Logoff Manager
    [05/14/2007, 14:31:21] - Re-enabling Automatic Shell Restart
    [05/14/2007, 14:31:21] - File to disable: C:\WINDOWS\system32\gebyy.dll
    [05/14/2007, 14:31:21] - Renaming C:\WINDOWS\system32\gebyy.dll -> C:\WINDOWS\system32\gebyy.dll.vir
    [05/14/2007, 14:31:21] - File successfully renamed!
    [05/14/2007, 14:31:21] - Removing HKLM\…\Browser Helper Objects\{BF875E3E-129B-4C49-93E9-25718875583F}
    [05/14/2007, 14:31:21] - Removing HKCR\CLSID\{BF875E3E-129B-4C49-93E9-25718875583F}
    [05/14/2007, 14:31:21] - Adding Kill Bit for ActiveX for GUID: {BF875E3E-129B-4C49-93E9-25718875583F}
    [05/14/2007, 14:31:21] - Deleting ATLEvents/MSEvents Registry entries
    [05/14/2007, 14:31:21] - Removing HKLM\…\Winlogon\Notify\gebyy
    [05/14/2007, 14:31:21] - Searching for Browser Helper Objects:
    [05/14/2007, 14:31:21] - BHO 1: AutorunsDisabled ()
    [05/14/2007, 14:31:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [05/14/2007, 14:31:21] - No filename found. Continuing.
    [05/14/2007, 14:31:21] - BHO 2: {01B65A04-0172-4738-A95D-43FE507E86D3} ()
    [05/14/2007, 14:31:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [05/14/2007, 14:31:21] - Checking for HKLM\…\Winlogon\Notify\
    [05/14/2007, 14:31:21] - Key not found: HKLM\…\Winlogon\Notify\, continuing.
    [05/14/2007, 14:31:21] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
    [05/14/2007, 14:31:21] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} ()
    [05/14/2007, 14:31:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [05/14/2007, 14:31:21] - Checking for HKLM\…\Winlogon\Notify\SDHelper
    [05/14/2007, 14:31:21] - Key not found: HKLM\…\Winlogon\Notify\SDHelper, continuing.
    [05/14/2007, 14:31:21] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [05/14/2007, 14:31:21] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
    [05/14/2007, 14:31:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [05/14/2007, 14:31:21] - No filename found. Continuing.
    [05/14/2007, 14:31:21] - BHO 7: {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} ()
    [05/14/2007, 14:31:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [05/14/2007, 14:31:21] - Checking for HKLM\…\Winlogon\Notify\tkptcsfk
    [05/14/2007, 14:31:21] - Key not found: HKLM\…\Winlogon\Notify\tkptcsfk, continuing.
    [05/14/2007, 14:31:21] - Finished Searching Browser Helper Objects
    [05/14/2007, 14:31:21] - Finishing up…
    [05/14/2007, 14:31:21] - A restart is needed.
    [05/14/2007, 14:31:21] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
    [05/14/2007, 14:31:27] - Attempting to Restart via STOP error (Blue Screen!)

    Logfile of HijackThis v1.99.1
    Scan saved at 17:50:58, on 14-5-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    C:\Program Files\Eset
    od32krn.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Eset
    od32kui.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
    C:\WINDOWS\system32\pwinmodv.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\THOMSO~1\SPEEDT~1\PRISMSVR.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    E:\totalcmd\TOTALCMD.EXE
    c:\Program Files\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - AutorunsDisabled - (no file)
    O2 - BHO: (no name) - {01B65A04-0172-4738-A95D-43FE507E86D3} - \
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset
    od32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\pwinmodv.exe CHA001
    O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\pwinmodv.exe
    O4 - Global Startup: SpeedTouch 120g Wireless USB Monitor.lnk = C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
    O9 - Extra button: (no name) - AutorunsDisabled - (no file)
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.mijnalbum.nl/skin/system/upload/ImageUploader3.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4925/mcfscan.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset
    od32krn.exe


    ——————————————————–
    BACKUPS CREATED in C:\DELJOB

    ACD1D24890064BD0.job
    ——————————————————–
    FILES IN TASKS FOLDER

    ——————————————————–
    EXPORT APP DATA FOLDERS

    Het volume in station C heeft geen naam.
    Het volumenummer is 0403-7571

    Map van C:\Documents and Settings\Coen\Application Data

    14-05-2007 14:30 <DIR> .
    14-05-2007 14:30 <DIR> ..
    27-09-2005 19:31 <DIR> Adobe
    21-10-2006 11:25 <DIR> AdobeUM
    10-03-2006 13:49 <DIR> APPLEC~1 Apple Computer
    21-06-2006 17:37 <DIR> Atari
    23-05-2006 23:08 <DIR> Autodesk
    04-03-2007 19:14 <DIR> BITDOW~1 BitDownload
    12-07-2006 10:30 <DIR> CYBERL~1 CyberLink
    29-04-2006 12:20 <DIR> Help
    14-09-2004 09:56 <DIR> IDENTI~1 Identities
    16-09-2005 00:13 <DIR> JASCSO~1 Jasc Software Inc
    14-03-2007 15:25 <DIR> Lavasoft
    07-10-2005 14:14 <DIR> MACROM~1 Macromedia
    23-06-2006 14:31 <DIR> MICROS~1 Microsoft
    11-03-2006 13:16 <DIR> MICROS~2 Microsoft Web Folders
    16-09-2005 00:07 <DIR> Sun
    27-09-2005 19:20 <DIR> Symantec
    14-03-2007 15:39 <DIR> U3
    0 bestand(en) 0 bytes
    19 map(pen) 92.795.940.864 bytes beschikbaar
    Het volume in station C heeft geen naam.
    Het volumenummer is 0403-7571

    Map van C:\Documents and Settings\All Users\Application Data

    08-03-2007 18:49 <DIR> .
    08-03-2007 18:49 <DIR> ..
    21-10-2006 11:25 <DIR> Adobe
    02-02-2006 22:41 <DIR> APPLEC~1 Apple Computer
    23-06-2006 15:49 <DIR> Autodesk
    06-03-2007 15:05 <DIR> BAGSMA~1 bags math 01 once
    10-01-2006 14:41 <DIR> DELLPH~1 Dell Photo Printer 720
    16-09-2005 00:13 <DIR> INSTAL~1 InstallShield
    15-11-2006 20:11 <DIR> MICROS~1 Microsoft
    30-11-2005 12:47 <DIR> Prism
    20-12-2005 16:00 <DIR> SONYER~1 Sony Ericsson
    13-05-2007 21:00 <DIR> SPYBOT~1 Spybot - Search & Destroy
    14-03-2007 15:47 <DIR> Symantec
    08-03-2007 18:51 <DIR> TEMP
    10-05-2006 13:18 <DIR> WINDOW~1 Windows Genuine Advantage
    22-12-2005 18:11 <DIR> YAHOO!~1 Yahoo! Companion
    0 bestand(en) 0 bytes
    16 map(pen) 92.795.940.864 bytes beschikbaar
    ——————————————————–


    Helaas is 1 van de 3 gebruikers niet op te starten vanwege een wachtwoord. Hopleijk is dat niet onoverkomelijk?



  • Start Hijackthis op en kies voor 'Do a system scan only'
    Selecteer alleen de items die hieronder zijn genoemd:
    [b:93325d1f0a]
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - AutorunsDisabled - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O9 - Extra button: (no name) - AutorunsDisabled - (no file)
    [/b:93325d1f0a]
    Sluit alle vensters behalve Hijackthis
    Klik op 'Fix checked' om de items te verwijderen.


    start opnieuw op en laat onderstaande tool even runnen aub.

    Download [b:93325d1f0a]Dr.Web CureIt[/b:93325d1f0a] naar je bureaublad:
    ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

    Dubbelklik [b:93325d1f0a]drweb-cureit.exe[/b:93325d1f0a] en sta het toe om de express scan te starten.
    Dit zal de bestanden scannen die momenteel in het geheugen geladen zijn en wanneer er iets gevonden wordt, klik de Yes to all knop bij de vraag 'cure it?'. Dit is enkel een korte scan.
    Eenmaal de korte scan is beeïndigd, Klik [b:93325d1f0a]Options[/b:93325d1f0a] > Change Settings
    Kies de "Scan"-tab en verwijder het vinkje bij "Heuristic analyse"
    Terug in het hoofdvenster kan je de drives selecteren die je wilt laten scannen.
    Selecteer hier alle drives. Een rood bolletje zal dan tevoorschijn komen op de drives die je laat scannen.
    Klik daarna de [b:93325d1f0a]groene pijl[/b:93325d1f0a] rechts om de scan te starten.
    Klik 'Yes to all' wanneer er gevraagd wordt om cure of move uit te voeren.
    Wanneer de scan gedaan is, kijk of je volgende icoontje kan aanklikken dat staat naast hetgeen gevonden werd: [img:93325d1f0a]http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif[/img:93325d1f0a]
    Indien wel, klik erop en daarna klik op het icoontje er net onder en kies: [b:93325d1f0a]Move incurable[/b:93325d1f0a] zoals je zal zien in volgende afbeelding:
    [img:93325d1f0a]http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif[/img:93325d1f0a]
    Dit zal de bestanden verplaatsen naar volgende map %userprofile%\DoctorWeb\quarantaine-folder indien het niet gedesinfecteerd kan worden. (dit in het geval dat we samples nodig hebben)
    Na bovenstaande te selecteren, in het menu bovenaan van Dr.Web CureIt, klik [b:93325d1f0a]file[/b:93325d1f0a] en kies [b:93325d1f0a]save report list[/b:93325d1f0a]. Bewaar de log op je bureaublad.
    Sluit daarna Dr.Web Cureit.

    [b:93325d1f0a]Herstart[/b:93325d1f0a] je computer!! Belangrijke stap, want het kan zijn dat Dr.Web Cureit bestanden zal verplaatsen/verwijderen tijdens herstart.
    Na het herstarten, Kopieer en plak de inhoud van die log die je eerder hebt bewaard in je volgende post.

    Hoe gaat het nu met je problemen.
  • Ik heb bovenstaande uitgevoerd. Na dat ik smitfraudefix had gedraaid was het probleem gefixed. Hier de log van dat programma en nog een keer een hijackthis logje om nog even te checken:

    SmitFraudFix v2.181

    Scan done at 9:00:45,57, di 15-05-2007
    Run from E:\Anti_Spyware_Tools\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [versie 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» hosts

    127.0.0.1 localhost

    127.0.0.1 bin.errorprotector.com ## added by CiD
    127.0.0.1 br.errorsafe.com ## added by CiD
    127.0.0.1 br.winantivirus.com ## added by CiD
    127.0.0.1 br.winfixer.com ## added by CiD
    127.0.0.1 cdn.drivecleaner.com ## added by CiD
    127.0.0.1 cdn.errorsafe.com ## added by CiD
    127.0.0.1 cdn.winsoftware.com ## added by CiD
    127.0.0.1 de.errorsafe.com ## added by CiD
    127.0.0.1 de.winantivirus.com ## added by CiD
    127.0.0.1 download.cdn.drivecleaner.com ## added by CiD
    127.0.0.1 download.cdn.errorsafe.com ## added by CiD
    127.0.0.1 download.cdn.winsoftware.com ## added by CiD
    127.0.0.1 download.errorsafe.com ## added by CiD
    127.0.0.1 download.systemdoctor.com ## added by CiD
    127.0.0.1 download.winantispyware.com ## added by CiD
    127.0.0.1 download.windrivecleaner.com ## added by CiD
    127.0.0.1 download.winfixer.com ## added by CiD
    127.0.0.1 drivecleaner.com ## added by CiD
    127.0.0.1 dynamique.drivecleaner.com ## added by CiD
    127.0.0.1 errorprotector.com ## added by CiD
    127.0.0.1 errorsafe.com ## added by CiD
    127.0.0.1 es.winantivirus.com ## added by CiD
    127.0.0.1 fr.winantivirus.com ## added by CiD
    127.0.0.1 fr.winfixer.com ## added by CiD
    127.0.0.1 go.drivecleaner.com ## added by CiD
    127.0.0.1 go.errorsafe.com ## added by CiD
    127.0.0.1 go.winantispyware.com ## added by CiD
    127.0.0.1 go.winantivirus.com ## added by CiD
    127.0.0.1 hk.winantivirus.com ## added by CiD
    127.0.0.1 instlog.errorsafe.com ## added by CiD
    127.0.0.1 instlog.winantivirus.com ## added by CiD
    127.0.0.1 instlog.winfixer.com ## added by CiD
    127.0.0.1 jsp.drivecleaner.com ## added by CiD
    127.0.0.1 kb.errorsafe.com ## added by CiD
    127.0.0.1 kb.winantivirus.com ## added by CiD
    127.0.0.1 nl.errorsafe.com ## added by CiD
    127.0.0.1 se.errorsafe.com ## added by CiD
    127.0.0.1 secure.drivecleaner.com ## added by CiD
    127.0.0.1 secure.errorsafe.com ## added by CiD
    127.0.0.1 secure.winantispam.com ## added by CiD
    127.0.0.1 secure.winantispy.com ## added by CiD
    127.0.0.1 secure.winantivirus.com ## added by CiD
    127.0.0.1 support.winantivirus.com ## added by CiD
    127.0.0.1 trial.updates.winsoftware.com ## added by CiD
    127.0.0.1 ulog.winantivirus.com ## added by CiD
    127.0.0.1 utils.errorsafe.com ## added by CiD
    127.0.0.1 utils.winantivirus.com ## added by CiD
    127.0.0.1 utils.winfixer.com ## added by CiD
    127.0.0.1 winantispyware.com ## added by CiD
    127.0.0.1 winantivirus.com ## added by CiD
    127.0.0.1 winfixer.com ## added by CiD
    127.0.0.1 winfixer2006.com ## added by CiD
    127.0.0.1 winsoftware.com ## added by CiD
    127.0.0.1 www.drivecleaner.com ## added by CiD
    127.0.0.1 www.errorprotector.com ## added by CiD
    127.0.0.1 www.errorsafe.com ## added by CiD
    127.0.0.1 www.systemdoctor.com ## added by CiD
    127.0.0.1 www.utils.winfixer.com ## added by CiD
    127.0.0.1 www.win-anti-virus-pro.com ## added by CiD
    127.0.0.1 www.win-virus-pro.com ## added by CiD
    127.0.0.1 www.winantispam.com ## added by CiD
    127.0.0.1 www.winantispy.com ## added by CiD
    127.0.0.1 www.winantispyware.com ## added by CiD
    127.0.0.1 www.winantivirus.com ## added by CiD
    127.0.0.1 www.winantiviruspro.com ## added by CiD
    127.0.0.1 www.windrivecleaner.com ## added by CiD
    127.0.0.1 www.windrivesafe.com ## added by CiD
    127.0.0.1 www.winfixer.com ## added by CiD
    127.0.0.1 www.winfixer2006.com ## added by CiD
    127.0.0.1 www.winsoftware.com ## added by CiD

    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{5309D044-093A-4786-AB21-AC068C1C4CCC}: DhcpNameServer=192.168.1.1 0.0.0.0
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{5309D044-093A-4786-AB21-AC068C1C4CCC}: DhcpNameServer=192.168.1.1 0.0.0.0
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{5309D044-093A-4786-AB21-AC068C1C4CCC}: DhcpNameServer=192.168.1.1 0.0.0.0
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{D374F852-94C0-450E-9922-5126589B1B55}: DhcpNameServer=192.168.1.254
    HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End

    ———————————————————————–

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 11:29:48, on 15-5-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    C:\Program Files\Eset
    od32krn.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Eset
    od32kui.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
    C:\PROGRA~1\THOMSO~1\SPEEDT~1\PRISMSVR.EXE
    C:\WINDOWS\system32\mmc.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\WINDOWS\system32\DfrgNtfs.exe
    C:\Documents and Settings\Coen\Application Data\U3\0000184519602EC1\LaunchPad.exe
    E:\totalcmd\TOTALCMD.EXE
    C:\WINDOWS\system32
    tvdm.exe
    c:\Program Files\hijackthis\HijackThis.exe
    c:\Program Files\hijackthis\HiJackThis_v2.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {01B65A04-0172-4738-A95D-43FE507E86D3} - \
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset
    od32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{04037571-0BB0-1043-0525-05050621001f}] "C:\Program Files\Common Files\{04037571-0BB0-1043-0525-05050621001f}\Update.exe" mc-110-12-0000140 (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{04037571-0BB0-1043-0525-05050621001f}] "C:\Program Files\Common Files\{04037571-0BB0-1043-0525-05050621001f}\Update.exe" mc-110-12-0000140 (User 'Default user')
    O4 - Startup: AutorunsDisabled
    O4 - Global Startup: AutorunsDisabled
    O4 - Global Startup: SpeedTouch 120g Wireless USB Monitor.lnk = C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.mijnalbum.nl/skin/system/upload/ImageUploader3.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4925/mcfscan.cab
    O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset
    od32krn.exe


    End of file - 5383 bytes




  • Hier nog een logje vanaf de andere gebruiker±

    Logfile of HijackThis v1.99.1
    Scan saved at 11:34:09, on 15-5-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    C:\Program Files\Eset
    od32krn.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Eset
    od32kui.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\lexpps.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
    C:\PROGRA~1\THOMSO~1\SPEEDT~1\PRISMSVR.EXE
    C:\Program Files\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {01B65A04-0172-4738-A95D-43FE507E86D3} - \
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset
    od32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: SpeedTouch 120g Wireless USB Monitor.lnk = C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.mijnalbum.nl/skin/system/upload/ImageUploader3.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4925/mcfscan.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset
    od32krn.exe

    ——————



  • Ok ik had nog geen smitfraud geadviseerd dacht ik?

    Wil je nu deze even doen.,

    Download de en unzip HostsXpert naar een eigen map,
    bijvoorbeeld C:\HostsXpert.

    Start [b:77cccb61be]HostsXpert.exe [/b:77cccb61be]

    klik [b:77cccb61be]"restore microsoft's hosts files"[/b:77cccb61be]

    Sluit daarna het programma af.

    plaats de twee nieuwe HJT logjes aub.
  • Jammer genoeg staat de PC nu elders en kan ik er niets mee aan doen.
    Zover ik weet zijn er geen problemen meer of denk je dat er nog iets is achter gebleven?

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.