Vraag & Antwoord

Beveiliging & privacy

wie helpt

Anoniem
pcguy
4 antwoorden
 • Bijgaand hijack log file…..
  ik krijg steeds mk:@MSITStore: C:\spe\start.chm::/start.html# als opstartpagina…..erg mooie natuurbeeld echter niet voor mijn zoon.
  Ik krijg 'm niet verwijderd niet met shredder nog met Hijack

  Wie wil zijn blik laten gaan over deze kinderonvriendelijke foto's  Ronald

  Logfile of HijackThis v1.97.7
  Scan saved at 19:57:40, on 20-9-2004
  Platform: Windows XP SP1 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\csrss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\WINDOWS\Explorer.EXE
  C:\WINDOWS\System32\alg.exe
  C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
  C:\Norman\NVC\BIN\Zanda.exe
  C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  C:\NORMAN\Nvc\BIN\ZLH.EXE
  C:\Program Files\WindUpdates\WinUpdt.exe
  C:\Program Files\WindUpdates\WinKA.exe
  C:\temp\msbb.exe
  C:\NORMAN\Nvc\BIN\NYMSE.EXE
  C:\NORMAN\Nvc\BIN\NIP.EXE
  C:\WINDOWS\olecom32.exe
  C:\WINDOWS\System32\ctfmon.exe
  C:\Documents and Settings\Frans Wouters\Application Data\nwlm.exe
  C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
  C:\NORMAN\Nvc\BIN\NJEEVES.EXE
  C:\NORMAN\Nvc\BIN\nvcoas.exe
  C:\NORMAN\Nvc\BIN\nipsvc.exe
  C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
  C:\NORMAN\Nvc\BIN\cclaw.exe
  L:\virusfix_en\hijackthis\HijackThis.exe

  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\FRANSW~1\LOCALS~1\Temp\sp.html
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=0&q=%s
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
  R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\FRANSW~1\LOCALS~1\Temp\sp.html
  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\FRANSW~1\LOCALS~1\Temp\sp.html
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=0&q=%s
  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\FRANSW~1\LOCALS~1\Temp\sp.html
  O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll (file missing)
  O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
  O2 - BHO: (no name) - {63FF372E-C265-5BB7-D123-675578A92A3B} - C:\WINDOWS\System32\qorzc.dll
  O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
  O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
  O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
  O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
  O3 - Toolbar: DotComToolbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - c:\windows\toolbar_nieuw14.dll
  O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
  O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
  O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
  O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe
  O4 - HKLM\..\Run: [Windows Explorer] C:\WINDOWS\olecom32.exe
  O4 - HKLM\..\Run: [ypvoaqcy] C:\WINDOWS\System32\wuukimcf.exe
  O4 - HKLM\..\Run: [OELoader] OELoader.exe
  O4 - HKLM\..\Run: [lch] C:\WINDOWS\lch.exe
  O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
  O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\msxmidi.exe
  O4 - HKLM\..\Run: [mjyfolqh] C:\WINDOWS\mjyfolqh.exe
  O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
  O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
  O4 - HKCU\..\Run: [Trdc] C:\Documents and Settings\Frans Wouters\Application Data\nwlm.exe
  O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\msxmidi.exe
  O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
  O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
  O9 - Extra button: Related (HKLM)
  O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
  O9 - Extra button: Real.com (HKLM)
  O9 - Extra button: Microsoft® VBScript® Console (HKLM)
  O9 - Extra 'Tools' menuitem: VBScript Terminal (HKLM)
  O9 - Extra button: Messenger (HKLM)
  O9 - Extra 'Tools' menuitem: Messenger (HKLM)
  O9 - Extra button: Microsoft® VBScript® Terminal (HKCU)
  O9 - Extra 'Tools' menuitem: VBScript Terminal (HKCU)
  O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=0&q=
  O13 - WWW Prefix: http://www.heretofind.com/show.php?id=0&q=
  O13 - Home Prefix: http://www.heretofind.com/show.php?id=0&q=
  O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=0&q=
  O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=0&q=
  O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
  O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} - http://63.217.29.115/cax.cab
  O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
  O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
  O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37878.122349537
  O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
  O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
 • Kijk nog wel even,
 • sluit alle vensters en run hjt opnieuw en fix deze items:
  [list:60ce3d0740][b:60ce3d0740]
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\FRANSW~1\LOCALS~1\Temp\sp.html
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=0&q=%s
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
  R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\FRANSW~1\LOCALS~1\Temp\sp.html
  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\FRANSW~1\LOCALS~1\Temp\sp.html
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=0&q=%s
  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\FRANSW~1\LOCALS~1\Temp\sp.html
  O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll (file missing)
  O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
  O2 - BHO: (no name) - {63FF372E-C265-5BB7-D123-675578A92A3B} - C:\WINDOWS\System32\qorzc.dll
  O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
  O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
  O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
  O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
  O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe
  O4 - HKLM\..\Run: [Windows Explorer] C:\WINDOWS\olecom32.exe
  O4 - HKLM\..\Run: [ypvoaqcy] C:\WINDOWS\System32\wuukimcf.exe
  O4 - HKLM\..\Run: [OELoader] OELoader.exe
  O4 - HKLM\..\Run: [lch] C:\WINDOWS\lch.exe
  O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe
  O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\msxmidi.exe
  O4 - HKLM\..\Run: [mjyfolqh] C:\WINDOWS\mjyfolqh.exe
  O4 - HKCU\..\Run: [Trdc] C:\Documents and Settings\Frans Wouters\Application Data\nwlm.exe
  O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\msxmidi.exe
  O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
  O9 - Extra button: Related (HKLM)
  O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=0&q=
  O13 - WWW Prefix: http://www.heretofind.com/show.php?id=0&q=
  O13 - Home Prefix: http://www.heretofind.com/show.php?id=0&q=
  O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=0&q=
  O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=0&q=
  O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} - http://63.217.29.115/cax.cab [/b:60ce3d0740][/list:u:60ce3d0740]


  Herstart in veilige modus en laat alle bestanden weergeven, verwijder vervolgens:
  [list:60ce3d0740][b:60ce3d0740]C:\DOCUME~1\FRANSW~1\LOCALS~1\Temp <— maak deze map leeg
  C:\WINDOWS\System32\qorzc.dll <— deze file
  C:\WINDOWS\System32\nvms.dll <— deze file
  C:\WINDOWS\System32\mscb.dll <— deze file
  C:\WINDOWS\System32\msbe.dll <— deze file
  C:\Program Files\WindUpdates
  c:\temp <— deze map legen
  C:\WINDOWS\olecom32.exe <— deze file
  C:\WINDOWS\System32\wuukimcf.exe <— deze file
  OELoader.exe <— deze file
  C:\WINDOWS\lch.exe <— deze file
  C:\Program Files\Web_Rebates <— deze map weggooien
  C:\WINDOWS\System32\services\msxmidi.exe <— deze file
  C:\WINDOWS\mjyfolqh.exe <— deze file
  C:\Documents and Settings\Frans Wouters\Application Data\nwlm.exe <— deze file
  [/b:60ce3d0740][/list:u:60ce3d0740]


  Herstart in normale modus en post een nieuwe hijackthislog, En mail even een logje van: http://users.pandora.be/marcvn/tools/get_active_services.zip (uitpakken en scriptje uitvoeren, active.txt word aangemaakt die file even mailen, ik pb je m'n mail adres wel)
 • Heb zojuis de hijackthislog ontvangen, Active.txt komt eraan, ik post ze even hier zodat M@rc even mee kan kijken.

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.