Op deze website gebruiken we cookies om content en advertenties te personaliseren, om functies voor social media te bieden en om ons websiteverkeer te analyseren. Ook delen we informatie over uw gebruik van onze site met onze partners voor social media, adverteren en analyse. Deze partners kunnen deze gegevens combineren met andere informatie die u aan ze heeft verstrekt of die ze hebben verzameld op basis van uw gebruik van hun services. Meer informatie.

Akkoord

Vraag & Antwoord

Beveiliging & privacy

Spyware-startpagina

Anoniem
M@rc
24 antwoorden
  • Bij het opstarten IE staat mijn startpagina op: res://bpgpk.dll/index.html#37049
    Er verschijnen ook regelmatig ongewenste popups.

    Wanneer ik dit verander, komt het bij een volgende opstart van IE weer terug.
    Spybot, Ad-aware, CWSchredder en HijackThis vinden spyware en verwijderen het dan ook. Maar bij een volgende opstart wordt het weer gedetecteerd.


    Hierbij mijn hijackthis-log:

    Logfile of HijackThis v1.97.7
    Scan saved at 20:38:25, on 14-6-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\GEARSEC.EXE
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\atlsr.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\sysop.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Documents and Settings\Ward\Bureaublad\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bpgpk.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bpgpk.dll/index.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bpgpk.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bpgpk.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bpgpk.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\bpgpk.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {A3B7B915-D6D2-510A-A72E-DE0B53457F00} - C:\WINDOWS\system32\mfcgl.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [CheckMedi8or] C:\Program Files\Mediator6\CheckNewUser.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [sysop.exe] C:\WINDOWS\sysop.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: iFinger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://195.18.69.102/activex/AxisCamControl.cab
    O16 - DPF: {A6DCA047-3979-41C8-A5B6-57013B4EC57C} (Fetcher Class) - http://www.ob.gouda.nl/Components/httpfetcher2.dll
    O16 - DPF: {CC0FC8B5-F895-11D2-BCDC-00105A68DFF3} (CIDSETTER Class) - http://www.ob.gouda.nl/Components/CIDSET.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
  • Download CWShredder.
    Het programma nog niet starten.

    Dowload Sphjfix. http://www.rokop-security.de/main/download.php?op=getit&lid=59
    Unzip het programma en start het.
    Na een automatische reboot run je CWShredder. Op de Fix-knop klikken en rebooten.
    Na de reboot run j HijackThis nog een keer en post je een nieuwe log.
  • 'k heb gedaan zoals je zei.
    sphjfix rebootte btw niet automatisch.


    Hier de log:

    Logfile of HijackThis v1.97.7
    Scan saved at 21:43:39, on 14-6-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\GEARSEC.EXE
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\WINDOWS\sysop.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\system32\atlsr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Documents and Settings\Ward\Bureaublad\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bpgpk.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bpgpk.dll/index.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bpgpk.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bpgpk.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bpgpk.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\bpgpk.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Ward\Application Data\Mozilla\Profiles\default\lgpf34of.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {A3B7B915-D6D2-510A-A72E-DE0B53457F00} - C:\WINDOWS\system32\mfcgl.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [CheckMedi8or] C:\Program Files\Mediator6\CheckNewUser.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [sysop.exe] C:\WINDOWS\sysop.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: iFinger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://195.18.69.102/activex/AxisCamControl.cab
    O16 - DPF: {A6DCA047-3979-41C8-A5B6-57013B4EC57C} (Fetcher Class) - http://www.ob.gouda.nl/Components/httpfetcher2.dll
    O16 - DPF: {CC0FC8B5-F895-11D2-BCDC-00105A68DFF3} (CIDSETTER Class) - http://www.ob.gouda.nl/Components/CIDSET.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
  • Download het bestand Find-All.zip: http://freeatlast.100free.com/index.html
    Run het bestand niet uit de zip-map. Unzip alles naar één map.
    Open de map en dubbelklik op FIND-ALL.bat (of FIND-ALL.CMD)
    Laat het programma zijn werk doen. Dit kan even duren.
    Als het klaar is verschijnt er een bestandje output.txt.
    Post de inhoud van dit bestand.
  • –==***@@@ 'FIND-ALL' »»*Original*»» VERSION *10.1 -6/10 @@@***==–

    »»»»»»Find-All recent updates:»»»»»»
    *Size of Windows key
    *Winlogon
    otify
    *UserInit value
    *Copy of 'hosts' file and *Loaded Modules (In \FilesList Subfolder)
    *Versions of major keys and windows files
    *list of active services and drivers ('FilesList')
    *Note:
    If using 'Find-All' to clean, be sure to include the link to your
    post in the forum!! (I keep recieving files I don't know where they came from…0-0…)
    *Note: Reg backup restore will not work if current user
    doesn't have 'Admin privileges'! (view »»Group/user section)


    Fri Jun 18 14:34:49 2004 – ++Results:
    »»System Info:

    Microsoft Windows XP [versie 5.1.2600]
    'Find-All' is running from Drive:
    C: "" (243D:D81C) - FS:NTFS clusters:4k
    Total: 119 957 479 424 [112G] - Free: 80 086 908 928 [75G]


    »»IE version and Service packs:
    6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
    –a– W32i APP NLD 6.0.2800.1106 shp 91,136 09-11-2002 iexplore.exe

    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    MinorVersion REG_SZ ;SP1;Q828750;Q330994;Q832894;Q837009;Q831167;

    »»Google:

    »»UserAgent:
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


    »»Wmplayer version:
    9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
    –a– W32i APP NLD 9.0.0.2980 shp 73,728 12-20-2002 wmplayer.exe
    6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
    –a– W32i APP NLD 6.4.9.1125 shp 4,639 09-11-2002 mplayer2.exe

    »»M$Java version:
    5.0.3810.0 C:\WINDOWS\System32\msjava.dll
    –a– W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

    »»NotePad(s) version(s):
    5.1.2600.0 C:\WINDOWS
    otepad.exe
    –a– W32i APP NLD 5.1.2600.0 shp 67,072 09-11-2002 notepad.exe
    5.1.2600.0 C:\WINDOWS\System32
    otepad.exe
    –a– W32i APP NLD 5.1.2600.0 shp 67,072 09-11-2002 notepad.exe

    »» Regedit* version(s):
    5.1.2600.1106 C:\WINDOWS\regedit.exe
    –a– W32i APP NLD 5.1.2600.1106 shp 140,800 09-11-2002 regedit.exe
    5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
    –a– W32i APP ENU 5.1.2600.0 shp 3,584 09-11-2002 regedt32.exe


    »»PC uptime:
    2:34pm up 0 days, 1:06

    »»Locked or 'Suspect' file(s) found…

    »»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»
    Files listed in this section (in System32) are not always definitive!
    Always Double Check and be sure the file pointed doesn't exist!

    »»Tasks (services):
    0 System Process
    4 System
    688 SMSS.EXE
    736 CSRSS.EXE Title:
    760 WINLOGON.EXE Title: NetDDE Agent
    804 SERVICES.EXE Svcs: Eventlog,PlugPlay
    816 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs
    992 ati2evxx.exe Svcs: Ati HotKey Poller
    1016 SVCHOST.EXE Svcs: RpcSs
    1124 SVCHOST.EXE Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,helpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasMan,Schedule,seclogon,SENS,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,uploadmgr,w32time,winmgm
    1296 SVCHOST.EXE Svcs: Dnscache
    1328 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient
    1520 SPOOLSV.EXE Svcs: Spooler
    1844 ati2evxx.exe Title: ATI video bios poller client
    1892 EXPLORER.EXE Title: Program Manager
    1992 CDAC11BA.EXE Svcs: C-DillaCdaC11BA
    2028 CTSVCCDA.EXE Svcs: Creative Service for CDROM Access
    176 gearsec.exe Svcs: GEARSecurity
    264 MsPMSPSv.exe Svcs: WMDM PMSP Service
    468 javacj32.exe Svcs: __NS_Service_3
    664 BCMSMMSG.exe Title: BCM V.92 56K Modem Monitor
    660 atiptaxx.exe Title: ATI Tray Icon Application
    680 DSentry.exe Title: DVDSentry
    704 CTSysVol.exe Title: Creative Volumeregeling
    720 CTDVDDET.exe Title: CTDVDDET
    884 CTHELPER.EXE Title: CtSpkHlp
    956 Directcd.exe Title: DirectCD
    1032 qttask.exe Title: 40c
    1048 CloneCDTray.exe Title: ElbyTrayWindow
    1068 iTunesHelper.exeiTunes HelperTitle: iTunes Helper
    1232 EM_EXEC.EXE Title: Logitech GetMessage Hook
    1244 iPodService.exe Svcs: iPodService
    1304 sysop.exe
    1248 WinCinemaMgr.exeTitle:
    1672 WZQKPICK.EXE Title: About WinZip Quick Pick
    2100 msnmsgr.exe Title: Animated BMP Sequence
    3772 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe
    3928 NTVDM.EXE
    2168 tlist.exe
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3B7B915-D6D2-510A-A72E-DE0B53457F00}]
    @=""

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
    "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
    "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
    "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (ID-NI) ALLOW Read INGEBOUWD\Gebruikers
    (ID-IO) ALLOW Read INGEBOUWD\Gebruikers
    (ID-NI) ALLOW Full access INGEBOUWD\Administrators
    (ID-IO) ALLOW Full access INGEBOUWD\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access MAKER EIGENAAR

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read INGEBOUWD\Gebruikers
    Full access INGEBOUWD\Administrators
    Full access NT AUTHORITY\SYSTEM




    »»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448+!)
    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs

    »»Winlogon
    otify:

    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 6134

    »»UserInit value:

    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

    5.1.2600.1106 C:\WINDOWS\System32\userinit.exe
    –a– W32i APP NLD 5.1.2600.1106 shp 22,016 09-11-2002 userinit.exe

    »»Group/user settings:


    User: [DELL\Ward], is a member of:

    INGEBOUWD\Administrators
    \Everyone

    User is a member of group DELL\Geen.
    User is a member of group \Iedereen.
    User is a member of group INGEBOUWD\Administrators.
    User is a member of group INGEBOUWD\Gebruikers.
    User is a member of group \LOKAAL.
    User is a member of group NT AUTHORITY\INTERACTIEF.
    User is a member of group NT AUTHORITY\Geverifieerde gebruikers.

    »»ACLs list:
    C:\junkxxx INGEBOUWD\Administrators:F
    INGEBOUWD\Administrators:(OI)(CI)(IO)F
    NT AUTHORITY\SYSTEM:F
    NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
    DELL\Ward:F
    MAKER EIGENAAR:(OI)(CI)(IO)F
    INGEBOUWD\Gebruikers:R
    INGEBOUWD\Gebruikers:(OI)(CI)(IO)(special access:)

    GENERIC_READ
    GENERIC_EXECUTE

    INGEBOUWD\Gebruikers:(CI)(special access:)

    FILE_APPEND_DATA

    INGEBOUWD\Gebruikers:(CI)(special access:)

    FILE_WRITE_DATA


    ERROR: Er zijn geen bestanden meer.


    »»File(s) in 'junkxxx' folder:

    »»Md5sums

    MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
    Copyright (C) 2001-2002 Jem Berkes - http://www.pc-tools.net/


    0 bytes, 0 ms = 0.00 MB/sec

    »»hosts file:
    Bestand niet gevonden - C:\WINDOWS\System32\Drivers\etc\hosts
    ——
    »»Rehash:

    »Strings found:

    Fri Jun 18 14:34:56 2004 – ++Find-All backups:
    A C:\FindallwinBackup.hiv
    –a– - - - - - 8,192 06-18-2004 findallwinbackup.hiv
    A C:\findallappinit.reg
    –a– - - - - - 594 06-18-2004 findallappinit.reg
    A C:\DOCUME~1\Ward\BUREAU~1\SPYWAR~1\FindAll\Find-All\winBackup.hiv
    A C:\DOCUME~1\Ward\BUREAU~1\SPYWAR~1\FindAll\Find-All\Fileslist\drivers.txt
    A C:\DOCUME~1\Ward\BUREAU~1\SPYWAR~1\FindAll\Find-All\Fileslist\modules.txt
    A C:\DOCUME~1\Ward\BUREAU~1\SPYWAR~1\FindAll\Find-All\Fileslist\services.txt
    A C:\DOCUME~1\Ward\BUREAU~1\SPYWAR~1\FindAll\Find-All\Fileslist\windows.txt

    ***Next Registry run should open this key directly:

    ! REG.EXE VERSION 2.0

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
    LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

    



  • Hallo Rob,

    Niet het gewenste resultaat met die log. We zoeken verder.
    Sluit alle open vensters, run HijackThis nog een keer en laat volgende items repareren:
    [b:5bd86231b4]
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bpgpk.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bpgpk.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bpgpk.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bpgpk.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bpgpk.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\bpgpk.dll/sp.html#37049

    O2 - BHO: (no name) - {A3B7B915-D6D2-510A-A72E-DE0B53457F00} - C:\WINDOWS\system32\mfcgl.dll

    [/b:5bd86231b4]
    Als je dit gedaan hebt start je de computer op in veilige modus.
    Zorg dat alle verborgen bestanden weergegeven worden, en verwijder de volgende bestanden of mappen indien aanwezig:
    C:\WINDOWS\system32\bpgpk.dll <–dit bestand
    C:\WINDOWS\system32\mfcgl.dll <–dit bestand

    Maak je Temp-folder leeg en ook de map met tijdelijke internetbestanden.
    Scan met ad-ware en CWSHredder.
    Ad-aware updaten voor je gaat scannen. (instructies zie sig)

    Post een nieuwe Hijackthislog.

    Is je probleem niet opgelost dan wil ik dit nog even checken:
    Download dit.
    Pak het bestand uit, klik op appinit.bat.
    Er wordt een bestandje aangemaakt: windows.txt.

    Kopieer de inhoud in je volgende post.
  • Hallo Marc,

    Het heeft niet geholpen.
    De startpagina staat nu op: res:/
    kalx.dll/index.html#37049

    Hier de appinit-log:

    regf       Pugf hbin  ¨ÿÿÿnk, î2Ž»PÄ ÿÿÿÿ ÿÿÿÿÿÿÿÿ ¸ x ÿÿÿÿ 0   Windows ÿÿÿsk x x  Ô  „¸ È   ¤       !  €  !  ?          ?               Ðÿÿÿvk  ˜   ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  €   h Ðÿÿÿvk  €'   ŒóGDIProcessHandleQuota·øÏðÿÿÿ9 0  V àÿÿÿvk     Ì”Spooleråðÿÿÿy e s Øáöwàÿÿÿvk  €   R¿swapdisk h ° ð  X Ðÿÿÿvk  à   kâTransmissionRetryTimeoutÐÿÿÿvk  €'   Z3USERProcessHandleQuotaZuàÿÿÿh ° ð  X ˆ (




    En hier de HijackThis-log:

    Logfile of HijackThis v1.97.7
    Scan saved at 15:58:44, on 20-6-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\Ward\Bureaublad\Spyware zooi\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Ward\Application Data\Mozilla\Profiles\default\lgpf34of.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Ward\Application Data\Mozilla\Profiles\default\lgpf34of.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {96540400-C364-871F-2E14-83ED06818F50} - C:\WINDOWS\system32\sdkws.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [CheckMedi8or] C:\Program Files\Mediator6\CheckNewUser.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [sysop.exe] C:\WINDOWS\sysop.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\RunOnce: [appcd32.exe] C:\WINDOWS\appcd32.exe
    O4 - HKLM\..\RunOnce: [winfe.exe] C:\WINDOWS\winfe.exe
    O4 - HKLM\..\RunOnce: [sdkqt32.exe] C:\WINDOWS\sdkqt32.exe
    O4 - HKLM\..\RunOnce: [systa32.exe] C:\WINDOWS\systa32.exe
    O4 - HKLM\..\RunOnce: [mfctb32.exe] C:\WINDOWS\system32\mfctb32.exe
    O4 - HKLM\..\RunOnce: [ietl.exe] C:\WINDOWS\ietl.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: iFinger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://195.18.69.102/activex/AxisCamControl.cab
    O16 - DPF: {A6DCA047-3979-41C8-A5B6-57013B4EC57C} (Fetcher Class) - http://www.ob.gouda.nl/Components/httpfetcher2.dll
    O16 - DPF: {CC0FC8B5-F895-11D2-BCDC-00105A68DFF3} (CIDSETTER Class) - http://www.ob.gouda.nl/Components/CIDSET.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
  • Rob,

    Post me even een nieuwe HijackThislog.
  • Alsjeblieft:

    Logfile of HijackThis v1.97.7
    Scan saved at 17:03:58, on 20-6-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\GEARSEC.EXE
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\javacj32.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\sysop.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Documents and Settings\Ward\Bureaublad\Spyware zooi\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rkalx.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res:/
    kalx.dll/index.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res:/
    kalx.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rkalx.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res:/
    kalx.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rkalx.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Ward\Application Data\Mozilla\Profiles\default\lgpf34of.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Ward\Application Data\Mozilla\Profiles\default\lgpf34of.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {DBE2DCC3-5963-788D-30AC-7058D49B4E14} - C:\WINDOWS\system32\javaaa32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [CheckMedi8or] C:\Program Files\Mediator6\CheckNewUser.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [sysop.exe] C:\WINDOWS\sysop.exe
    O4 - HKLM\..\RunOnce: [appcd32.exe] C:\WINDOWS\appcd32.exe
    O4 - HKLM\..\RunOnce: [winfe.exe] C:\WINDOWS\winfe.exe
    O4 - HKLM\..\RunOnce: [sdkqt32.exe] C:\WINDOWS\sdkqt32.exe
    O4 - HKLM\..\RunOnce: [systa32.exe] C:\WINDOWS\systa32.exe
    O4 - HKLM\..\RunOnce: [mfctb32.exe] C:\WINDOWS\system32\mfctb32.exe
    O4 - HKLM\..\RunOnce: [ietl.exe] C:\WINDOWS\ietl.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: iFinger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://195.18.69.102/activex/AxisCamControl.cab
    O16 - DPF: {A6DCA047-3979-41C8-A5B6-57013B4EC57C} (Fetcher Class) - http://www.ob.gouda.nl/Components/httpfetcher2.dll
    O16 - DPF: {CC0FC8B5-F895-11D2-BCDC-00105A68DFF3} (CIDSETTER Class) - http://www.ob.gouda.nl/Components/CIDSET.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab


  • [code:1:b06e6efb21]C:\WINDOWS\system32\javacj32.exe
    C:\WINDOWS\sysop.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rkalx.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res:/
    kalx.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res:/
    kalx.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rkalx.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res:/
    kalx.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rkalx.dll/sp.html#37049

    O2 - BHO: (no name) - {DBE2DCC3-5963-788D-30AC-7058D49B4E14} - C:\WINDOWS\system32\javaaa32.dll

    O4 - HKLM\..\Run: [CheckMedi8or] C:\Program Files\Mediator6\CheckNewUser.exe

    O4 - HKLM\..\Run: [sysop.exe] C:\WINDOWS\sysop.exe
    O4 - HKLM\..\RunOnce: [appcd32.exe] C:\WINDOWS\appcd32.exe
    O4 - HKLM\..\RunOnce: [winfe.exe] C:\WINDOWS\winfe.exe
    O4 - HKLM\..\RunOnce: [sdkqt32.exe] C:\WINDOWS\sdkqt32.exe
    O4 - HKLM\..\RunOnce: [systa32.exe] C:\WINDOWS\systa32.exe
    O4 - HKLM\..\RunOnce: [mfctb32.exe] C:\WINDOWS\system32\mfctb32.exe
    O4 - HKLM\..\RunOnce: [ietl.exe] C:\WINDOWS\ietl.exe

    O16 - DPF: {A6DCA047-3979-41C8-A5B6-57013B4EC57C} (Fetcher Class) - http://www.ob.gouda.nl/Components/httpfetcher2.dll
    O16 - DPF: {CC0FC8B5-F895-11D2-BCDC-00105A68DFF3} (CIDSETTER Class) - http://www.ob.gouda.nl/Components/CIDSET.dll[/code:1:b06e6efb21]

    Wat een bende.


  • Rob,

    Wacht nog even als je wil. Ik wil iets proberen…Ik post dadelijk…

    Sorry Rieske, maar dit is een nieuwe hijacker en als je alleen met HijackThis gaat werken komt ie waarschijnlijk zo weer terug….
  • OK, ben benieuwd.
  • Rob,

    Zorg dat alle verborgen bestanden weergegeven worden: http://users.pandora.be/marcvn/spyware/1117602.htm

    Open de Taskmanager door op CTRL+ALT+DEL te drukken. Ga naar het tabblad processen. Dubbelklik op de kolomnaam Processen om deze alfabetisch te rangschikken. Beëindig de volgende processen:
    C:\WINDOWS\system32\javacj32.exe
    C:\WINDOWS\sysop.exe

    Ga naar start ? Uitvoeren en tik in: Services.msc
    Zoek tussen de services naar "Network Security Service".
    Dubbelklik op deze service en in het venster dat verschijnt kies je bij Opstarttype voor Uitgeschakeld. Klik op Toepassen en vervolgens op OK. Sluit alle vensters.
    Run HijackThis, klik op Scan en laat volgende repareren:[b:73dd0e4ce0]
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rkalx.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res:/
    kalx.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res:/
    kalx.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rkalx.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res:/
    kalx.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rkalx.dll/sp.html#37049

    O2 - BHO: (no name) - {DBE2DCC3-5963-788D-30AC-7058D49B4E14} - C:\WINDOWS\system32\javaaa32.dll

    O4 - HKLM\..\Run: [sysop.exe] C:\WINDOWS\sysop.exe
    O4 - HKLM\..\RunOnce: [appcd32.exe] C:\WINDOWS\appcd32.exe
    O4 - HKLM\..\RunOnce: [winfe.exe] C:\WINDOWS\winfe.exe
    O4 - HKLM\..\RunOnce: [sdkqt32.exe] C:\WINDOWS\sdkqt32.exe
    O4 - HKLM\..\RunOnce: [systa32.exe] C:\WINDOWS\systa32.exe
    O4 - HKLM\..\RunOnce: [mfctb32.exe] C:\WINDOWS\system32\mfctb32.exe
    O4 - HKLM\..\RunOnce: [ietl.exe] C:\WINDOWS\ietl.exe
    [/b:73dd0e4ce0]
    Start de computer in veilige modus en verwijder de volgende bestanden (op F8 drukken tijdens het booten):
    C:\WINDOWS\system32\javacj32.exe <– dit bestand hernoem je naar javacj32.old
    C:\WINDOWS\system32\rkalx.dll <—dit bestand verwijderen
    C:\WINDOWS\system32\javaaa32.dll <—dit bestand verwijderen
    C:\WINDOWS\sysop.exe <— dit bestand hernoem je naar sysop.old)

    Kopieer onderstaande quote in een kladblokbestand en sla op als cwsuninst.reg
    [quote:73dd0e4ce0]
    REGEDIT4

    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY___NS_SERVICE_3]

    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\__NS_Service_3]

    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_SERVICE_3]

    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Shopping Wizard"=-
    "Search Extender"=-
    "Home Search Assistant"=-
    [/quote:73dd0e4ce0]
    Dubbelklikken om de wijzingen aan het register toe te voegen.

    Reboot de computer in normale modus, run HijackThis nog een keer en post een nieuwe log.
    Geef een beetje uitleg van wat gelukt is, wat niet?

    Succes.


  • Hi M@rc,

    Logfile of HijackThis v1.97.7
    Scan saved at 19:29:29, on 20-6-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\GEARSEC.EXE
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Documents and Settings\Ward\Bureaublad\Spyware zooi\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Ward\Application Data\Mozilla\Profiles\default\lgpf34of.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Ward\Application Data\Mozilla\Profiles\default\lgpf34of.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [CheckMedi8or] C:\Program Files\Mediator6\CheckNewUser.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: iFinger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://195.18.69.102/activex/AxisCamControl.cab
    O16 - DPF: {A6DCA047-3979-41C8-A5B6-57013B4EC57C} (Fetcher Class) - http://www.ob.gouda.nl/Components/httpfetcher2.dll
    O16 - DPF: {CC0FC8B5-F895-11D2-BCDC-00105A68DFF3} (CIDSETTER Class) - http://www.ob.gouda.nl/Components/CIDSET.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab




    Ik heb gedaan zoals je zei.
    Het bestand javaaa32.dll kon ik echter niet vinden. Het probleem lijkt nu toch opgelost.
    Maar ik zou graag wat info willen over wat er nou eigenlijk aan de hand was.

    Bedankt
  • Hallo Rob,

    Hopen dat ie weg blijft, want dit zit allemaal nog in experimentele fase…

    Dat je avaaa32.dll niet kon vinden lijkt me normaal. Deze zou HijackThismoeten verwijderen en dat heeft het programma blijbaar ook gedaan. Ik wou gewoon zeker spelen.

    Waar je last van had is een nieuwe Coolwebsearch-variant. de gekende programma's Ad-aware, Spybot of CWShredder kunnen deze nog niet verwijderen.
    De securtiy experts werken momenteel druk aan een procedure om deze hijacker te verwijderen.
    Geloof me het is een pest, en het is niet bij te houden.

    Nu we zover zijn moet je volgende zaken nog even controleren:
    1. In de map c:\windows\system32 zou een bestand control.exe moeten staan. klopt dit?
    Soms wordt dit bestandje door de hijacker verwijderd.

    2. Check ook even of het hosts-bestand nog aanwezig is. Dit bevindt zich in de map C:\WINDOWS\system32\drivers\etc

    groeten,
  • Scheidslijn tussen virussen en hijackers mogen we genoeglijk als verdwenen beschouwen?
    ;)
  • [quote:77f5e14cee="=Rieske="]Scheidslijn tussen virussen en hijackers mogen we genoeglijk als verdwenen beschouwen?
    ;)[/quote:77f5e14cee]
    Ik denk het wel….
  • M@rc,

    Het control.exe bestand is aanwezig. Ik ben geen computerkenner dus die host laat ik maar voor wat het is.
    Zijn er nog een aantal speciale zaken waar je op moet letten om een nieuwe infectie te voorkomen?

    In ieder geval hartelijk dank voor de hulp.

    groeten,
    Rob
  • Rob,

    Misschien toch best even controleren of hosts aanwezig is…
  • Wat bedoel je precies met hosts?

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.