Vraag & Antwoord

Beveiliging & privacy

hijackthislog about:blank

Anoniem
None
87 antwoorden
  • [b:a0f884db09]Logfile of HijackThis v1.99.0[/b:a0f884db09]
    Scan saved at 19:19:12, on 14/02/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS.000\SYSTEM\KERNEL32.DLL
    C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS.000\SYSTEM\MPREXE.EXE
    C:\WINDOWS.000\SYSTEM\mmtask.tsk
    C:\WINDOWS.000\EXPLORER.EXE
    C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
    C:\WINDOWS.000\NOTEPAD.EXE
    C:\WINDOWS.000\DESKTOP\SPYWARE REMOVALS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.000\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
    O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
    O8 - Extra context menu item: Gelijkwaardige pagina's - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
    O8 - Extra context menu item: Koppelingspagina's - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS.000\SYSTEM\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS.000\SYSTEM\MSJAVA.DLL
    O12 - Plugin for .spop: C:\PROGRA~1\Intern~1\Plugins\NPDocBox.dll
    O12 - Plugin for .php: C:\PROGRA~1\Intern~1\PLUGINS\nppdf32.dll
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.kungfuchess.com/activex/web665.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab


    [b:a0f884db09]StartDreck (build 2.1.7 public stable) - 2005-02-14 @ 19:20:56 (GMT +01:00)[/b:a0f884db09]
    Platform: Windows 98 SE (Win 4.10.2222 A)
    Internet Explorer: 6.0.2800.1106
    Logged in as at SUS GOVAERTS

    »Registry
    »Run Keys
    »Current User
    »Run
    »RunOnce
    »Default User
    »Run
    »RunOnce
    »Local Machine
    »Run
    *AVGCtrl=C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
    *EnsoniqMixer=starter.exe
    »RunOnce
    »RunServices
    »RunServicesOnce
    **ve=rundll32 C:\WINDOWS.000\PRINTVR.TXT,DllGetClassObject
    »RunOnceEx
    »RunServicesOnceEx
    »Files
    »System/Drivers
    »Running Processes
    +FFCF919B=C:\WINDOWS.000\SYSTEM\KERNEL32.DLL
    +FFC045FF=C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE
    +FFC0507F=C:\WINDOWS.000\SYSTEM\MPREXE.EXE
    +FFC03DDF=C:\WINDOWS.000\SYSTEM\mmtask.tsk
    +FFC0C743=C:\WINDOWS.000\RUNDLL32.EXE
    +FFC00703=C:\WINDOWS.000\EXPLORER.EXE
    +FFC0BB6F=C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
    +FFC1398F=C:\WINDOWS.000\NOTEPAD.EXE
    +FFC219E3=C:\WINDOWS.000\NOTEPAD.EXE
    +FFC27873=C:\WINDOWS.000\DESKTOP\STARTDRECK\STARTDRECK.EXE
    »Application specific


    Op hoop van zege,

    Guft.
  • De situatie is nog steeds hetzelfde, ik weet dat de startpagina gaat terugkomen, dat merk ik aan het openen van explorer. Ook de vele 'Iexplore' in taakbeheer zijn er nog.

    Ik heb alleszins een aantal keer geprobeerd de Rkfiles te draaien (in veilige modus), maar de pc sloeg telkens vast bij het checken van 'system'.

    Andere mogelijkheden of ben ik gedoemd naar format c: (iets wat ik echt niet wil).

    Guft. :(
  • Wacht nog even met formatteren Guft. We hebben al meer hardnekkige varianten van deze gehad.
    Kan je me zeggen welk je startpgina is? Searcht the Web?

    Run dit tooltje: http://securityresponse.symantec.com/avcenter/FxAgentB.exe
    Voor je het programma start verbreek je de internetconnectie. Zorg dat alle open vensters gesloten zijn en beëindig alle actieve programma's.
    Herstart nadien de computer. Maak en nieuwe Hijackthislog en post deze.
    Meldt me ook even het resultaat van die FxAgentB.
  • Ik zal proberen een printscreen te nemen van de startpagina.

    Internet verbreken = afsluiten of via taakbeheer of stekker uittrekken??


    Guft.
  • Stekker er uit guft.
  • [b:3e91b200ed]Logfile of HijackThis v1.99.0[/b:3e91b200ed]
    Scan saved at 20:49:06, on 15/02/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS.000\SYSTEM\KERNEL32.DLL
    C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS.000\SYSTEM\SPOOL32.EXE
    C:\WINDOWS.000\SYSTEM\MPREXE.EXE
    C:\WINDOWS.000\SYSTEM\mmtask.tsk
    C:\WINDOWS.000\EXPLORER.EXE
    C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
    C:\WINDOWS.000\DESKTOP\SPYWARE REMOVALS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.000\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS.000\SYSTEM\QTTASK.EXE" -atboottime
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
    O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
    O8 - Extra context menu item: Gelijkwaardige pagina's - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
    O8 - Extra context menu item: Koppelingspagina's - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS.000\SYSTEM\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS.000\SYSTEM\MSJAVA.DLL
    O12 - Plugin for .spop: C:\PROGRA~1\Intern~1\Plugins\NPDocBox.dll
    O12 - Plugin for .php: C:\PROGRA~1\Intern~1\PLUGINS\nppdf32.dll
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.kungfuchess.com/activex/web665.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab

    ____________

    Symantec Backdoor.Agent.B Removal Tool 1.0.1.2


    Backdoor.Agent.B has not been found on your computer.

    ____________



    [img:3e91b200ed]http://users.telenet.be/holzgau2005/spyware.jpg[/img:3e91b200ed]


    edit: Dit idd de bewuste startpagina, ik ben ze tegengekomen door een onbestaande site in het adresbalk te typen. Indien Explorer open staat er 'about: blank' in de adresbalk, nu dus niet.
  • Guft,

    Ik vrees toch dat het met één of met beide tooltjes iets niet goed ging.

    Zorg in ieder geval dat alle verborgen bestanden weergeven worden.

    Had je alle bestanden van rkfiles unzipt naar c:\rkfiles ? Heb je rkfiles.bat gestart in veilige modus?
    Had je ale bestanden van Remv3.zip uitgepakt in een eigen map en remv3.bat gerund uit die zelfde map in veilige modus?

    Probeer opnieuw remv3bat, want die moet meer opleveren:
    Download remv3.zip
    Unzip het. Start de computer in veilige modus. Dubbelklik op remv3.bat.
    Laat het batbestandje zijn werk doen.
    Herstart de computer in normale modus.
    Zoek via Windows Verkenner naar het bestand C:\log.txt.
    Post de inhoud van log.txt samen met een nieuwe HijackThislog.
  • M@rc,

    ik ben zeker dat ik je stappen steeds goed heb opgevolgd. Jammergenoeg zoals bij de 'rkfiles' sloeg de pc telkens vast.

    Bij onderstaande 'remv3' (via google gevonden, link werkte niet) doken er meldingen op met waarden die dienden toegevoegde te worden in het register. Ik heb telkens op 'ja' geklikt waarop er een foutmelding volgde die zei dat niks toegevoegd kon worden.


    ECHO is ingesteld op aan.
    Checking for version 1 Files…….
    "Files found"
    ———————————————————————

    deleting files……..
    ———————————————————

    "Files Not Deleted"
    ———————————————————————

    Checking for version 2 files……….
    Files Found
    ————————————————————

    deleting files……..
    ———————————————————

    Files Not deleted
    ————————————————————


    Checking version 3 Files……………….
    Files Found ………………
    —————————————-

    Files not Deleted………….
    —————————————-

    Merging registry entries
    —————————————————————–
    The Registry Entries Found…
    —————————————————————–


    Other bad files to be Manually deleted.. Please Note that This might also list Legit Files, be careful while Deleting
    —————————————————————–
    Finished


    *******

    Logfile of HijackThis v1.99.0
    Scan saved at 21:31:03, on 15/02/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS.000\SYSTEM\KERNEL32.DLL
    C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS.000\SYSTEM\MPREXE.EXE
    C:\WINDOWS.000\SYSTEM\mmtask.tsk
    C:\WINDOWS.000\EXPLORER.EXE
    C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS.000\DESKTOP\SPYWARE REMOVALS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.000\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS.000\SYSTEM\QTTASK.EXE" -atboottime
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
    O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
    O8 - Extra context menu item: Gelijkwaardige pagina's - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
    O8 - Extra context menu item: Koppelingspagina's - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS.000\SYSTEM\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS.000\SYSTEM\MSJAVA.DLL
    O12 - Plugin for .spop: C:\PROGRA~1\Intern~1\Plugins\NPDocBox.dll
    O12 - Plugin for .php: C:\PROGRA~1\Intern~1\PLUGINS\nppdf32.dll
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.kungfuchess.com/activex/web665.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab

    Ben pas morgenavond terug op forum,


    Guft.
  • De link naar de originele downloadlocatie is blijkbaar gewijzigd.
    Ik heb hem aangepast. Verwijder alle bestanden/mappen van remv3.zip.

    Download remv3.zip.
    Unzip alle bestanden naar een eigen map. Start de computer in veilige modus.
    Verbreek je internetverbinding.
    Dubbelklik op remv3.bat.
    Laat het batbestandje zijn werk doen.
    Herstart de computer in normale modus.
    Zoek via Windows Verkenner naar het bestand C:\log.txt.
    Post de inhoud van log.txt samen met een nieuwe HijackThislog.
  • ECHO is ingesteld op aan.
    Checking for version 1 Files…….
    "Files found"
    ———————————————————————

    deleting files……..
    ———————————————————

    "Files Not Deleted"
    ———————————————————————

    Checking for version 2 files……….
    Files Found
    ————————————————————

    deleting files……..
    ———————————————————

    Files Not deleted
    ————————————————————


    Checking version 3 Files……………….
    Files Found ………………
    —————————————-

    Files not Deleted………….
    —————————————-

    Merging registry entries
    —————————————————————–
    The Registry Entries Found…
    —————————————————————–


    Other bad files to be Manually deleted.. Please Note that This might also list Legit Files, be careful while Deleting
    —————————————————————–
    Finished

    _______________


    Logfile of HijackThis v1.99.0
    Scan saved at 22:14:52, on 16/02/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS.000\SYSTEM\KERNEL32.DLL
    C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS.000\SYSTEM\MPREXE.EXE
    C:\WINDOWS.000\SYSTEM\mmtask.tsk
    C:\WINDOWS.000\EXPLORER.EXE
    C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS.000\DESKTOP\SPYWARE REMOVALS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.000\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS.000\SYSTEM\QTTASK.EXE" -atboottime
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
    O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
    O8 - Extra context menu item: Gelijkwaardige pagina's - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
    O8 - Extra context menu item: Koppelingspagina's - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS.000\SYSTEM\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS.000\SYSTEM\MSJAVA.DLL
    O12 - Plugin for .spop: C:\PROGRA~1\Intern~1\Plugins\NPDocBox.dll
    O12 - Plugin for .php: C:\PROGRA~1\Intern~1\PLUGINS\nppdf32.dll
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.kungfuchess.com/activex/web665.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab


    Stand van zaken: startpagina gaat terugkomen vrees ik, dat merk ik aan het openen van explorer. Ook de vele 'Iexplore' in taakbeheer zijn er nog.


    Guft.
  • Ga naar start - uitvoeren en tik in (gebruik copy/paste):

    [code:1:d2984a0254]
    regedit /e c:\aaaMS4hd.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ms4Hd"
    [/code:1:d2984a0254]

    Doe het zelfde voor:
    [code:1:d2984a0254]
    regedit /e c:\aaahd.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Hd"
    [/code:1:d2984a0254]

    Op je c-schijf kijk je of er 2 bestanden staan: aaaMS4hd.txt en aaahd.txt.
    Als je ze vindt post je de inhoud van beide bestanden.
    Indien je ze niet vindt, meld je dit even.
  • Instructies uitgevoerd maar de twee textbestanden niet gevonden.

    Helaas.

    Guft.
  • Download CWShredder.
    Start het programma, klik op de Fix-knop.
    Meldt het resultaat even. Nog steeds last van de hijacker Guft?

    Als de infectie terugkomt maak je een hijackthislog en post je deze.
    Fix niets. We gaan dan wat dieper proberen te graven.
  • Guft maak een hijackthislog wanneer de infectie zichtbaar is in de log.
    Post dan het logje.
    Dan heb ik wat om verder te zoeken.
    Update je versie van hijackthis ook even . (we zitten aan versie 1.99.1)

    qttasks.exe is een CWSvariant.
    In je log is deze niet verschenen.
  • [b:c4ebf9191b]Logfile of HijackThis v1.99.1[/b:c4ebf9191b]
    Scan saved at 17:14:31, on 17/02/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS.000\SYSTEM\KERNEL32.DLL
    C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS.000\SYSTEM\MPREXE.EXE
    C:\WINDOWS.000\SYSTEM\mmtask.tsk
    C:\WINDOWS.000\EXPLORER.EXE
    C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS.000\SYSTEM\DDHELP.EXE
    C:\WINDOWS.000\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS.000\DESKTOP\SPYWARE REMOVALS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS.000\TEMP\se.dll/sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS.000\TEMP\se.dll/sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {956E7442-80FF-11D9-ABFE-00E039CA5588} - C:\WINDOWS.000\SYSTEM\EIB.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.000\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS.000\SYSTEM\QTTASK.EXE" -atboottime
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
    O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
    O8 - Extra context menu item: Gelijkwaardige pagina's - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
    O8 - Extra context menu item: Koppelingspagina's - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS.000\SYSTEM\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS.000\SYSTEM\MSJAVA.DLL
    O12 - Plugin for .spop: C:\PROGRA~1\Intern~1\Plugins\NPDocBox.dll
    O12 - Plugin for .php: C:\PROGRA~1\Intern~1\PLUGINS\nppdf32.dll
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.kungfuchess.com/activex/web665.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O18 - Filter: text/html - {956E7441-80FF-11D9-ABFE-00E0C918CBFF} - C:\WINDOWS.000\SYSTEM\EIB.DLL
    O18 - Filter: text/plain - {956E7441-80FF-11D9-ABFE-00E0C918CBFF} - C:\WINDOWS.000\SYSTEM\EIB.DLL
  • Download de Registry Search Tool hier. Unzip en run het script. Krijg je een reactie van je antivirusprogramma dan moet je Script blocking uitschakelen in het anti-virusprogramma. In het Zoekveld geef je het volgende in:
    [b:408959ba4a]
    {956E7441-80FF-11D9-ABFE-00E0C918CBFF}
    [/b:408959ba4a]
    Post het resultaat.

    Doe dit ook voor:
    [b:408959ba4a]EIB.DLL
    se.dll
    {956E7442-80FF-11D9-ABFE-00E039CA5588}[/b:408959ba4a]
  • REGEDIT4
    ; RegSrch.vbs © Bill James

    ; Registry search results for string "{956E7441-80FF-11D9-ABFE-00E0C918CBFF}" 17/02/05 17:49:58

    ; NOTE: This file will be deleted when you close WordPad.
    ; You must manually save this file to a new location if you want to refer to it again later.
    ; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


    [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{956E7441-80FF-11D9-ABFE-00E0C918CBFF}]

    [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{956E7441-80FF-11D9-ABFE-00E0C918CBFF}\InProcServer32]

    [HKEY_LOCAL_MACHINE\Software\CLASSES\PROTOCOLS\Filter\text/html]
    "CLSID"="{956E7441-80FF-11D9-ABFE-00E0C918CBFF}"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\PROTOCOLS\Filter\text/plain]
    "CLSID"="{956E7441-80FF-11D9-ABFE-00E0C918CBFF}"

    ———-

    REGEDIT4
    ; RegSrch.vbs © Bill James

    ; Registry search results for string "EIB.DLL" 17/02/05 17:52:31

    ; NOTE: This file will be deleted when you close WordPad.
    ; You must manually save this file to a new location if you want to refer to it again later.
    ; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SearchAssistant Uninstall]
    "UninstallString"="regsvr32 /s /u C:\\WINDOWS.000\\SYSTEM\\EIB.DLL"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{956E7441-80FF-11D9-ABFE-00E0C918CBFF}\InProcServer32]
    @="C:\\WINDOWS.000\\SYSTEM\\EIB.DLL"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{956E7442-80FF-11D9-ABFE-00E039CA5588}\InProcServer32]
    @="C:\\WINDOWS.000\\SYSTEM\\EIB.DLL"

    ———–

    REGEDIT4
    ; RegSrch.vbs © Bill James

    ; Registry search results for string "se.dll" 17/02/05 17:54:50

    ; NOTE: This file will be deleted when you close WordPad.
    ; You must manually save this file to a new location if you want to refer to it again later.
    ; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Components\1E827DC844622D11AA48000A9CF0750B]
    "314000001E872D116BF00006799C897E"="C:\\Program Files\\Microsoft Office\\Office\\SQLPARSE.DLL"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
    "Search Bar"="res://C:\\WINDOWS.000\\TEMP\\se.dll/sp.html"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Initialization\{B750E756-EE6D-11D0-AA18-0000F8753A58}]
    "$DLL"="psbase.dll"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{B750E756-EE6D-11D0-AA18-0000F8753A58}]
    "$DLL"="psbase.dll"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Defaults\Provider\Microsoft Base DSS Cryptographic Provider]
    "Image Path"="dssbase.dll"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Defaults\Provider\Microsoft Base DSS and Diffie-Hellman Cryptographic Provider]
    "Image Path"="dssbase.dll"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Cryptographic Provider v1.0]
    "Image Path"="rsabase.dll"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{8F6C7662-E8A1-11D0-B9B3-2A92D0000000}\InprocServer32]
    @="C:\\Program Files\\Microsoft Office\\Office\\SQLPARSE.DLL"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{939438A9-CF0F-44d8-9140-599736F0D3A2}\InprocServer32]
    @="C:\\WINDOWS.000\\SYSTEM\\PDBROWSE.DLL"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{fecd606e-7161-4cbc-a868-4703867823ea}\InprocServer32]
    @="C:\\WINDOWS.000\\SYSTEM\\PDBROWSE.DLL"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\TypeLib\{8F6C7660-E8A1-11D0-B9B3-2A92D0000000}\1.0\0\win32]
    @="C:\\PROGRA~1\\MICROS~1\\OFFICE\\SQLPARSE.DLL"

    [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ProtectedStorage\Parameters\S2]
    "psbase.dll"=hex:b7,15,79,e8,01,2b,d6,a2,91,01,98,28,ff,35,b8,74,70,0d,01,20,\

    [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SessionManager\KnownDLLs]
    "RSABASE"="RSABASE.DLL"

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
    "Search Bar"="res://C:\\WINDOWS.000\\TEMP\\se.dll/sp.html"

    ————–

    REGEDIT4
    ; RegSrch.vbs © Bill James

    ; Registry search results for string "{956E7442-80FF-11D9-ABFE-00E039CA5588}" 17/02/05 17:57:40

    ; NOTE: This file will be deleted when you close WordPad.
    ; You must manually save this file to a new location if you want to refer to it again later.
    ; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{956E7442-80FF-11D9-ABFE-00E039CA5588}]

    [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{956E7442-80FF-11D9-ABFE-00E039CA5588}]

    [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{956E7442-80FF-11D9-ABFE-00E039CA5588}\InProcServer32]
  • Ziet er goed uit Guft.
    Hoe is de situatie nu? Komt de hijacker nog steeds terug?
  • Situatie nog steeds hetzelfde.

    Hijacker dreigt terug te komen.

    Is er nog hoop?


    Guft. :cry:
  • Open een klablokbestand.
    Kopieer onderstaande code in dit kladblokbestand.
    Ga naar Bestand - Opslaan als.
    Bij "Opslaan in" kies je: Bureaublad
    Bij "Bestandsnaam" zet je: fix.reg
    Bij "Opslaan als type" selecteer je: Alle bestanden (*.*).
    Klik op de knop Opslaan.
    [code:1:37f897b77e]
    REGEDIT4

    [-HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{956E7441-80FF-11D9-ABFE-00E0C918CBFF}]

    [-HKEY_LOCAL_MACHINE\Software\CLASSES\PROTOCOLS\Filter\text/html]

    [-HKEY_LOCAL_MACHINE\Software\CLASSES\PROTOCOLS\Filter\text/plain]

    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SearchAssistant Uninstall]

    [-HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{956E7441-80FF-11D9-ABFE-00E0C918CBFF}]

    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{956E7442-80FF-11D9-ABFE-00E039CA5588}]

    [-HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{956E7442-80FF-11D9-ABFE-00E039CA5588}]
    [/code:1:37f897b77e]


    Zorg dat alle verborgen bestanden weergegeven worden.

    Start de computer in veilige modus.


    Sluit alle open vensters, run HijackThis nog een keer en laat volgende items repareren maak een logje, sla het op en post het later.
    Fix daarna de volgende sleutels:
    [b:37f897b77e]
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS.000\TEMP\se.dll/sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS.000\TEMP\se.dll/sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    O2 - BHO: (no name) - {956E7442-80FF-11D9-ABFE-00E039CA5588} - C:\WINDOWS.000\SYSTEM\EIB.DLL

    O18 - Filter: text/html - {956E7441-80FF-11D9-ABFE-00E0C918CBFF} - C:\WINDOWS.000\SYSTEM\EIB.DLL
    O18 - Filter: text/plain - {956E7441-80FF-11D9-ABFE-00E0C918CBFF} - C:\WINDOWS.000\SYSTEM\EIB.DLL
    [/b:37f897b77e]

    Verwijder de volgende bestanden indien aanwezig:
    C:\WINDOWS.000\SYSTEM\EIB.DLL

    Verwijder alle bestanden in C:\WINDOWS.000\Temp

    Maak de map met tijdelijke internetbestanden leeg: Configuratiescherm - Internetopties - tabblad Algemeen - klik bij Tijdelijke internetbestanden op Bestanden Verwijderen.

    Dubbelklik op fix.reg en laat de wijzigingen aan het register toevoegen.

    Reboot de computer, run HijackThis opnieuw, maak een nieuwe log en post. Post ook even de log die je gemaakt hebt in veilige modus.

    Als er iets niet lukt of fout gaat, meldt het dan aub.

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.