Vraag & Antwoord

Beveiliging & privacy

Verzoek HiJack check svp

Anoniem
MKL
4 antwoorden
 • Hallo,

  Ik ben doende met een PC van een kennis en daar zit nogal wat vuiligheid op. Hij komt zelfs het internet niet meer op.
  Ik heb al met VirusScan een aantal Trojans eruit gemikt, maar er is vast meer… Ik zie tenminste een hoop rare %% tekens en finders , die er vast niet thuis horen…

  Kan iemand mij helpen met deze schoonmaak?
  Alvast bedankt,

  Zabadak


  Logfile of HijackThis v1.97.7
  Scan saved at 19:38:54, on 6-10-04
  Platform: Windows 98 Gold (Win9x 4.10.1998)
  MSIE: Internet Explorer v5.00 SP2 (5.00.3314.2100)

  Running processes:
  C:\WINDOWS\SYSTEM\KERNEL32.DLL
  C:\WINDOWS\SYSTEM\MSGSRV32.EXE
  C:\WINDOWS\SYSTEM\MPREXE.EXE
  C:\WINDOWS\SYSTEM\mmtask.tsk
  C:\WINDOWS\SYSTEM\MSTASK.EXE
  C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
  C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE DESKTOP FIREWALL FOR WINDOWS 98\FIRESVC.EXE
  C:\WINDOWS\EXPLORER.EXE
  C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
  C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
  C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
  C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\WEBSCANX.EXE
  C:\WINDOWS\STARTER.EXE
  C:\WINDOWS\TASKMON.EXE
  C:\WINDOWS\SYSTEM\SYSTRAY.EXE
  C:\WINDOWS\SYSTEM\ATITASK.EXE
  C:\WINDOWS\SYSTEM\ATICWD32.EXE
  C:\PROGRAM FILES\MEDIASCAPE\TOUCH MANAGER\MEDIACTR.EXE
  C:\PROGRAM FILES\MOUSE\SYSTEM\EM_EXEC.EXE
  C:\WINDOWS\LOADQM.EXE
  C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
  C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
  C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
  C:\PROGRAM FILES\MEDIASCAPE\TOUCH MANAGER\TOUCHMGR.EXE
  C:\PROGRA~1\MEDIAS~1\ONSCRE~1\OSD.EXE
  C:\PROGRAM FILES\MSWORKS\AGENDA\WKCALREM.EXE
  C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE DESKTOP FIREWALL FOR WINDOWS 98\FIRETRAY.EXE
  C:\WINDOWS\SYSTEM\RNAAPP.EXE
  C:\WINDOWS\SYSTEM\TAPISRV.EXE
  C:\_ZABADAK\HIJACKTHIS.EXE

  R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchbar.linksummary.com/
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%00@www.e-finder.cc/hp/ (obfuscated)
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
  R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
  R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%00@www.e-finder.cc/hp/ (obfuscated)
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.nl
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
  R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.linksummary.com/
  R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
  F1 - win.ini: load=C:\OPLIMIT\ocraware.exe
  O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\DPE.DLL (file missing)
  O3 - Toolbar: @msdxmLC.dll,-1@1043,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
  O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
  O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
  O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
  O4 - HKLM\..\Run: [Taakcontrole] c:\windows\taskmon.exe
  O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
  O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
  O4 - HKLM\..\Run: [Atikey] Atitask.exe
  O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
  O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
  O4 - HKLM\..\Run: [KBD MediaCenter] C:\Program Files\Mediascape\Touch Manager\MediaCtr.exe
  O4 - HKLM\..\Run: [EM_EXEC] c:\progra~1\mouse\system\em_exec.exe
  O4 - HKLM\..\Run: [LoadQM] loadqm.exe
  O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
  O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
  O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
  O4 - HKLM\..\RunServices: [FireService] C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 98\FireSvc.exe
  O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
  O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
  O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\MSXMIDI.EXE
  O4 - Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
  O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
  O4 - Startup: Microsoft Works Agenda-herinneringen.lnk = C:\Program Files\MSWorks\Agenda\WKCALREM.EXE
  O4 - Startup: Corel Family and Friends Reminders.LNK = C:\Program Files\Corel\Print House Magic\cffrem.exe
  O4 - Startup: McAfee Desktop Firewall Tray.lnk = C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 98\FireTray.exe
  O9 - Extra button: Related (HKLM)
  O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
  O11 - Options group: [TOEGANKELIJKHEID] Toegankelijkheid
  O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
  O12 - Plugin for .scr: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
  O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
  O13 - DefaultPrefix: http://%65%68%74%74%70%2E%63%63/?
  O13 - WWW Prefix: http://%65%68%74%74%70%2E%63%63/?
  O14 - IERESET.INF: START_PAGE_URL=http://www.msn.nl
  O14 - IERESET.INF: MS_START_PAGE_URL=http://www.msn.nl
  O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 • Ga naar Configuratiescherm - Software - Programma's wijzigen of verwijderen. Deïnstalleer indien aanwezig het volgende programma:
  Spykiller


  Sluit alle open vensters, run HijackThis nog een keer en laat volgende items repareren:
  [b:962472347a]R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchbar.linksummary.com/
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%00@www.e-finder.cc/hp/ (obfuscated)
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
  R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
  R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%00@www.e-finder.cc/hp/ (obfuscated)
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)

  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
  R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)

  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.linksummary.com/
  R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)

  O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\DPE.DLL (file missing)

  O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
  O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\MSXMIDI.EXE

  O13 - DefaultPrefix: http://%65%68%74%74%70%2E%63%63/?
  O13 - WWW Prefix: http://%65%68%74%74%70%2E%63%63/?
  [/b:962472347a]

  Als je dit gedaan hebt start je de computer op in veilige modus.
  Zorg dat alle verborgen bestanden weergegeven worden, en verwijder de volgende bestanden of mappen indien aanwezig:
  C:\Program Files\SpyKiller <–deze map
  C:\WINDOWS\MSXMIDI.EXE <–dit bestand

  Reboot de computer.
  Ga naar de windows Update site. Alleen zo ben je zeker dat je de nieuwste patches voor je besturingssysteem geïnstalleerd hebt. Als er nieuwe updates beschikbaar zijn, dan dowload en installeer je alle essentiële updates en service packs. Reboot je computer en controleer opnieuw. Herhaal deze procedure tot dat er geen essentiële updates meer zijn.

  Reboot de computer, run HijackThis opnieuw en post een nieuwe log.
  Download wel eerst de nieuwste versie van Hijackthis.
 • Ik heb geen Win98 updates gedaan omdat ik met de besmette PC alleen via inbellen kan updaten. Dat doe ik later bij de eigenaar zelf.
  De logs wordt met een floppy effe overgezet en dan hier geplaatst.

  Overigens merk ik op dat zodra ik deze CT-pagina open er een melding verschijnt dat een trojan in mijn TempInternetFiles verschijnt.
  Heb ik CT besmet door het plaatsen van deze logs?

  Hier een nieuwe log
  Alvast dank voor de check..
  Zabadak


  Logfile of HijackThis v1.97.7
  Scan saved at 21:24:15, on 6-10-04
  Platform: Windows 98 Gold (Win9x 4.10.1998)
  MSIE: Internet Explorer v5.00 SP2 (5.00.3314.2100)

  Running processes:
  C:\WINDOWS\SYSTEM\KERNEL32.DLL
  C:\WINDOWS\SYSTEM\MSGSRV32.EXE
  C:\WINDOWS\SYSTEM\MPREXE.EXE
  C:\WINDOWS\SYSTEM\mmtask.tsk
  C:\WINDOWS\SYSTEM\MSTASK.EXE
  C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
  C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE DESKTOP FIREWALL FOR WINDOWS 98\FIRESVC.EXE
  C:\WINDOWS\EXPLORER.EXE
  C:\WINDOWS\STARTER.EXE
  C:\WINDOWS\TASKMON.EXE
  C:\WINDOWS\SYSTEM\SYSTRAY.EXE
  C:\WINDOWS\SYSTEM\ATITASK.EXE
  C:\WINDOWS\SYSTEM\ATICWD32.EXE
  C:\PROGRAM FILES\MEDIASCAPE\TOUCH MANAGER\MEDIACTR.EXE
  C:\PROGRAM FILES\MOUSE\SYSTEM\EM_EXEC.EXE
  C:\WINDOWS\LOADQM.EXE
  C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
  C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
  C:\PROGRAM FILES\MEDIASCAPE\TOUCH MANAGER\TOUCHMGR.EXE
  C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
  C:\PROGRA~1\MEDIAS~1\ONSCRE~1\OSD.EXE
  C:\PROGRAM FILES\MSWORKS\AGENDA\WKCALREM.EXE
  C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE DESKTOP FIREWALL FOR WINDOWS 98\FIRETRAY.EXE
  C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
  C:\WINDOWS\SYSTEM\RNAAPP.EXE
  C:\WINDOWS\SYSTEM\TAPISRV.EXE
  C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
  C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
  C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\WEBSCANX.EXE
  C:\_ZABADAK\HIJACKTHIS.EXE

  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.nl
  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
  O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
  O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
  O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
  O4 - HKLM\..\Run: [Taakcontrole] c:\windows\taskmon.exe
  O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
  O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
  O4 - HKLM\..\Run: [Atikey] Atitask.exe
  O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
  O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
  O4 - HKLM\..\Run: [KBD MediaCenter] C:\Program Files\Mediascape\Touch Manager\MediaCtr.exe
  O4 - HKLM\..\Run: [EM_EXEC] c:\progra~1\mouse\system\em_exec.exe
  O4 - HKLM\..\Run: [LoadQM] loadqm.exe
  O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
  O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
  O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
  O4 - HKLM\..\RunServices: [FireService] C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 98\FireSvc.exe
  O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
  O4 - Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
  O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
  O4 - Startup: Microsoft Works Agenda-herinneringen.lnk = C:\Program Files\MSWorks\Agenda\WKCALREM.EXE
  O4 - Startup: Corel Family and Friends Reminders.LNK = C:\Program Files\Corel\Print House Magic\cffrem.exe
  O4 - Startup: McAfee Desktop Firewall Tray.lnk = C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 98\FireTray.exe
  O9 - Extra button: Related (HKLM)
  O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
  O11 - Options group: [TOEGANKELIJKHEID] Toegankelijkheid
  O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
  O12 - Plugin for .scr: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
  O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
  O14 - IERESET.INF: START_PAGE_URL=http://www.msn.nl
  O14 - IERESET.INF: MS_START_PAGE_URL=http://www.msn.nl
  O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 • Ledig de map met tijdelijke internetbestanden: Configuratiescherm - Internetopties - tabblad Algemeen - klik bij Tijdelijke internetbestanden op Bestanden Verwijderen.

  Dit logje ziet er goed uit.
  Volgende keer de nieuwe versie van hijackthis gebruiken.

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.